Moderating role of entrepreneurial orientation on the relationship between information security risk assessment and firm performance in Kenya


  • Stanley Ndungu JKUAT
  • Kenneth Wanjau Karatina University
  • Robert Gichira JKUAT
  • Waweru Mwangi JKUAT



Information Security Risk Assessment, Risk Assessment Process, SMEs, Information Security Management


Information security risk assessments enable SMEs to identify their key information assets and risks in order to develop effective and economically-viable control strategies. In Kenya, SMEs employ about 85 percent of the workforce. The need to link ISRA with firm performance has become vital for firms striving to achieve superior performance. However, limited attention has been paid to the link and more so to the moderating role of EO on ISRA-firm performance relationship model. To better understand this relationship, this paper employed a mixed methods research guided by a cross-sectional research design. Quantitative and qualitative techniques were employed to analyze the collected data using SPSS, Ms-Excel, AMOS, SmartPLS, STATA, R-GUI and ATLAS.ti analytical softwares. Analyses were conducted using a two-phase process consisting of CFA and SEM. The theoretical models and hypotheses were tested based on empirical data gathered from 94 SMEs in the 2013 Top 100 Survey. The study found that ISRA was a significant predictor of firm performance. The results also revealed that entrepreneurial orientation significantly moderated the relationship between ISRA and firm performance in Kenya. This study will enhance the skill set in Kenyan SMEs and produce a more sustainable solution.


Download data is not yet available.


Alberts, C. J., & Dorofee, A. J. (2004). Rethinking Risk Management. Pittsburgh, PA: SEI

Abu-Musa, A. A. (2010). Information security governance in Saudi organizations: an empirical study. Information Management & Computer Security, 18(4), 226-276.

Al-Awadi, M., A. (2009). A study of Employees' Attitudes Towards Organisational Information Security Policies in the UK and Oman. (Published Doctoral dissertation, University of Glasgow). Retrieved from

Amancei, C. (2011). Practical Methods for Information Security Risk Management. Informatica Economică. 15(1), 151-159.

Anderson, B. S., Kreiser P. M., Kuratko, D. F., Hornsby, J. S., & Eshima Y. (2015). Reconceptualizing entrepreneurial orientation. Strategic Management Journal, 36, 1579-1596.

Anderson, J. C. & Gerbing, D. W. (1988). Structural equation modeling in practice: a review and recommended two-step approach. Psychological Bulletin, 103(3), 411-423.

Argyrous, G. (2005). Statistics for research: With a guide to SPSS. London: Sage

Basso, O., Alain, F., & Bouchard, V. (2009). Entrepreneurial orientation: The making of a concept. International Journal of Entrepreneurship and Innovation, 10(4), 313-321.

Bordens, K. S., & Abbott, B. B. (2014). Research design and methods: A process approach (9th ed.). San Francisco: McGraw Hill.

Chang, H. J., & Lin, S. J. (2011), Entrepreneurial intensity in catering industry: A case study on Wang Group in Taiwan. Business and Management Review, 1(9), 1-12.

Cooper, D. R., & Schindler, P. S. (2011). Business Research Methods. (11th ed.). New York: McGraw-Hill.

Covin, J. G., & Lumpkin, G. T. (2011). Entrepreneurial orientation theory and research: Reflections on a needed construct. Entrepreneurship Theory and Practice, 35(5), 855-872.

Covin, J. G., & Slevin, D. P. (1988). The influence of organization structure on the utility of an entrepreneurial top management style. Journal of Management Studies, 25(3), 217-234.

Covin, J. G., & Slevin, D. P. (1991). A conceptual model of entrepreneurship as firm behavior. Entrepreneurship Theory & Practice, 15(1), 7-24.

Cresswell, J. W., & Clark, V. L. P. (2011). Designing and conducting mixed methods research. Los Angeles: Sage.

Dhillon, G. (2007). Principles of Information Systems Security: Text and Cases. Hoboken, NJ: Wiley.

Dojkovski, S., Lichtenstein, S., & Warren, M. J. (2007). Fostering Information Security Culture in Small and Medium Size Enterprises: An Interpretive Study in Australia. 15th European Conference on Information Systems (pp. 1560-1571). St. Gallen, Switzerland.

Dzazali, S., & Zolait, A. H. (2012). Assessment of information security maturity. Journal of

Systems and Information Technology, 14(1), 23-57.

Frazier, P. A., Tix, A. P. & Barron, K. E. (2004). Testing moderator and mediator effects in counseling psychology research. Journal of Counseling Psychology, 51(2), 115-134.

Fu S., & Xiao, Y. (2012). Strengthening the research for Information security risk assessment. International Conference on Biological and Biomedical Science Advanced in Biomedical Engineering, 9, 386-392.

Gerber, M., & von Solms, R. (2005). Management of risk in the information age. Computers & Security 24, 16-30.

Graham, D. J. & Midgley, N. G. (2000). Graphical representation of particle shape using triangular diagrams: an Excel spreadsheet method. Earth Surface Processes and Landforms, 25(13), 1473-1477.

Hesterberg, T. (2003). Bootstrap methods and permutation tests. New York: W. H. Freeman and Company.

Hitt, M., Ireland, R., Camp, S. & Sexton, D. (2001). Guest editors’ introduction to the special issue strategic entrepreneurship: entrepreneurial strategies for wealth creation. Strategic Management Journal, 22, 479-491.

Hong, K., Chi, Y., Chao, L. R. & Tang, J. (2003). An integrated system theory of information security management. Journal of information management & computer security, 11(5), 243-248.

Hughes, M. & Morgan, R. E. (2007). Deconstructing the relationship between entrepreneurial orientation and business performance at the embryonic stage of firm growth. Industrial Marketing Management, 36, 651-661.

Information Technology Governance Institute (ITGI) (2006). Information Security Governance, Guidance for Boards of Directors and Executive Management (2nd ed.). Rolling Meadows, IL: IT Governance Institute.

Institute of Certified Public Accountants of Kenya (ICPAK) (2015, 11 05). Top 100 Mid-sized Companies - What Top 100 is all about. Retrieved 12 07, 2016, from ICPAK:

Ireland, R. D., Hitt, M. A., & Sirmon, D. G. (2003). A model of strategic entrepreneurship: the construct and its dimensions. Journal of Management 29(6), 963-989.

Israel, G. D. (2012, 06 12). Sampling: Determining sample size. Retrieved 05 13, 2013, from University of Florida IFAS Extension:

Ivan, I., Noşca, G., & Capisizu, S. (2005). Auditul sistemelor informatice. Bucureşti: Editura ASE.

Johnson, R. B., Onwuegbuzie, A. J., & Turner, L. A. (2007). Toward a definition of mixed methods research. Journal of mixed methods research, 1(2), 112-133.

Jourdan, Z., Rainer, R. K., Marshall, T. E. & Ford, F. N. (2010). An investigation of organizational information security risk analysis. Journal of Service Science, 3(2), 33-42.

Kothari, C. R. (2009). Research Methodology: Methods and Techniques (5th ed.). New Delhi: New Age International.

Kroon, B., Voorde, K., & Timmers, J. (2013). High performance work practices in small firms: a resource-poverty and strategic decision-making perspective. Small Business Economics, 41(1), 71-91.

Kuratko, D. F., & Hodgetts, R. M. (2001). Entrepreneurship: A Contemporary Approach. Texas: Harcourt College Publishers.

Lee, M. (2014). Information Security Risk Analysis Methods and Research Trends: AHP and Fuzzy Comprehensive Method. International Journal of Computer Science & Information Technology (IJCSIT), 6(1), 29-45.

Liang, T., You, J., & Liu, C. (2010). A resource-based perspective on information technology and firm performance: a meta-analysis. Industrial Management & Data Systems, 110(8), 1138-1158.

Lumpkin, G.T. & Dess, G.G. (1996). Clarifying the entrepreneurial orientation construct and linking it to performance. Academy of Management Review, 21(1), 135-172.

Lumpkin, G. T, & Dess, G. (2001). Linking two dimensions of entrepreneurial orientation to firm performance: The moderating role of environment and industry life cycle. Journal of Business Venturing, 16(5), 429-451.

Mertens, D. M. (2010). Research & Evaluation in Education and Psychology: Integrating Diversity with Quantitative, Qualitative & Mixed Methods. London: Sage Publications.

Miller, D. (1983). The Correlates of Entrepreneurship in three Types of Firms. Management Science. 29(7), 770-791.

Montgomery, D. C., Peck, E. A., & Vining, G. G. (2001). Introduction to Linear Regression Analysis (3rd ed.). New York: John Wiley.

Morris, M. H., Kuratko, D. F., & Covin, J. G. (2008). Corporate entrepreneurship and innovation. Cincinnati, OH: Thomson/SouthWestern Publishers.

Muchiri, M., & McMurray, A. (2015). Entrepreneurial orientation within small firms: A critical review of why leadership and contextual factors matter. Small Enterprise Research, 2(1), 17-31.

Mugenda, A. (2008). Social Science Research: Conception, Methodology and Analysis. Nairobi: Kenya Applied Research and Training Services.

Ndung’u, S. I. (2014). Moderating role of entrepreneurial orientation on the relationship between information security management and firm performance in Kenya. (Unpublished doctoral dissertation, Jomo Kenyatta University of Agriculture & Technology). Retrieved from

Ndung’u, S. I., Wanjau, K. L., Gichira, R., & Mwangi, W. (2014). Moderating Effect of Entrepreneurial Orientation on the Relationship between Human-Related Information Security Issues and Firm Performance in Kenya. Asian Academic Research Journal of Social Sciences & Humanities, 1(26), 311-334.

Pathak, J. (2005). Information Technology Auditing: An Evolving Agenda. Berlin: Editura Springer.

Pramod, D., Raman, R., & Bharathi, S. V. (2013). An Aspect Oriented Process Based Approach to Information Risk Management. International Journal of Engineering and Technology (IJET), 5(3), 2262-2267.

Saleh, M. S., & Alfantookh, A. (2011). A new comprehensive framework for enterprise information security risk management. Applied Computing and Informatics, King Saud University, 9(2), 107-118.

Schiendel, D. E., & Hitt, M. A. (2007). Issues in Strategic Entrepreneurship. Strategic Entrepreneurship Journal, 9(3), 425-453.

Schumpeter, J. A. (1942). Capitalism, Socialism and Democracy. New York: Harper & Bros.

Shamala, P., Ahmad, R. & Yusoff, M. (2013). A conceptual framework of info structure for information security risk assessment (ISRA). Journal of Information Security and Applications, Elsevier Ltd, 18(1), 45-52.

Shamala, P., Ahmad, R., Zolait, H. A., & Sahib, S. (2015). Collective information structure model for Information Security Risk Assessment (ISRA). Journal of Systems and Information Technology, 17(2), 193-219.

Shedden, P., Scheepers, R., Smith, W., & Ahmad, A. (2011). Incorporating a knowledge perspective into security risk assessments. Journal of Information and Knowledge Management Systems, 41(2), 152-166.

Slevin, D. P., & Terjesen, S. A. (2011). Entrepreneurial orientation: Reviewing three papers and implications for further theoretical and methodological development. Entrepreneurship Theory and Practice, 35(5), 973-987.

Snedecor, G. W. & Cochran, W. G. (1989). Statistical methods (8th ed.). Ames, Iowa: Iowa State University Press.

Söderström, E., Åhlfeldt, R., & Eriksson, N. (2009). Standards for information security and processes in healthcare. Journal of Systems and Information Technology, 11(3), 295-308.

Stam, W., & Elfring, T. (2008). Entrepreneurial orientation and new venture performance: The moderating role of intra- and extra- industry social capital. Academy of Management Journal, 51(1), 97–111.

Tabachnick, B. G., & Fidell, L. S. (2013). Using multivariate statistics. (6th ed.). Boston: Pearson.

Tang, J., Tang, Z., Marino, L. D., Zhang, Y., & Li, Q. (2008). Exploring an inverted U-shape relationship between entrepreneurial orientation and performance in Chinese ventures. Entrepreneurship Theory and Practice, 32(1), 219-239.

Vij S., & Bedi H. S. (2012). Relationship between entrepreneurial orientation and business performance: A review of literature, Journal of Business Strategy, 9(3), 17-31.

Visintine, V. (2003). An Introduction to Information Risk Assessment. Denver, CO: SANS Institute.

von Solms, S. H. (2005). Information security governance compliance management vs operational management. Computers & Security, 24, 443-447.

Wales, W., Gupta, V. K., & Mousa, F. (2011a). Empirical research on entrepreneurial orientation: An assessment and suggestions for future research. International Small Business Journal, 31(4), 357-383.

Wiklund, J. & Shepherd, D. (2003). Knowledge-based resources, entrepreneurial orientation, and the performance of small and medium sized businesses. Strategic Management Journal, 24, 1307–1314.

Wójcik-Karpacz, A. (2016). The Researchers’ Proposals: What is the Entrepreneurial Orientation? Managing Innovation and Diversity in Knowledge Society Through Turbulent Time (pp. 247-255). Timisoara, Romania: TIIM.

Wright, M. (1999). Third generation risk management practices. Computers and Security, 1999(2), 9-12.




How to Cite

Ndungu, S., Wanjau, K., Gichira, R., & Mwangi, W. (2018). Moderating role of entrepreneurial orientation on the relationship between information security risk assessment and firm performance in Kenya. International Journal of Professional Business Review, 3(2), 131–152.