Purpose – The purpose of this paper is to develop and test a research model that looks at the direct impact of information technology (IT) capabilities on firm performance and the mediating effects of the information security management system (ISMS) on this relationship. Design/methodology/approach – The study uses a hypothetico-deductive approach based on quantitative data collected from 136 surveyed professionals in the field of IS, IT and the related security environment. Findings – The results confirm the direct impact of IT capabilities on firm performance and the mediating effects of ISMS on this relationship. Originality/value – The study draws on the resource-based view theory to develop a model that assesses the direct impact of IT capabilities on firm performance and the mediating effects of ISMS on this relationship in Cameroon, a developing country in Africa.

Introduction

In the current IT-dominated age, information has become the primary asset of any ambitious organization, and the quality of management decision is completely dependent on information. Information capabilities span a wide array of domains: enhancing business operations; facilitating management decision making; and deploying business strategies (Silva et al., 2014). Moreover, IT capacities bring performance to business (Lee et al., 2007; Yeh et al., 2012). Yet, companies that have integrated relevant IT capabilities may experience other serious challenges to their performance, especially when it comes to value creation. Computer attacks are known to be among the causes of these challenges, as maintaining and safeguarding the confidentiality, integrity and availability of information is a tough assignment for firms which are eager to protect their strategic value (ISO/IEC, 2013; Silva et al., 2014). According to Knowdys Consulting Group, cybercrime has a very negative impact on the economic development of Sub-Saharan African enterprises. For example, in 2014, cybercrime costs between $12,000 and $13,000 per day to businesses based in West Africa (Knowdys Consulting Group, 2014). In fact, the literature confirms that SMEs in Africa face numerous obstacles to their development, notably as regards information security, because there is a shortage of skilled human resources, IT resources and support (Dubelaar et al., 2005). Moreover, the today’s global connectedness and the quickly evolving nature of ITs have made technology-driven security solutions inadequate to meet information security challenges (Hall et al., 2011). In this context, an organization can be cyber-attacked even when its IT capabilities are good. Examples of common cyber-attacks include login usurpation of non-IT employees by means of social engineering, which harms the organization and undermines its performance, and targeting and attacking a dismissed employee whose login information was not withdrawn from the list of authorized users. Therefore, protecting IT information has become a key economic challenge for organizations seeking to ensure a permanent security of both their information and the related technology (Weishäupl et al., 2015). Additionally, even though firms have been investing increasingly in information security and in their strategic role in today’s business success, an effective implementation of information security strategy remains one of their top challenges (Ernst & Young, 2011). It should be recalled that while information security is crucial to the survival of any serious organization, it can only be guaranteed by the information security risk management (ISRM) (ISO/IEC, 2013), whose importance is always remarkable when IT capabilities naturally expose the organization to information security risks or IT risks (Carcary, 2013; Ernst & Young, 2011). Thus, in this study, we investigate the impact of integrating an information security system into enterprise performance. Is an information security system embedded into the IT structure of an organization enough to trigger its performance? The literature on IS indicates that the relationship between information technology (IT) capabilities and organizational performance appears to be a widely studied topic and related findings are being used by decision makers (Huang et al., 2009). Despite the importance of IT capabilities within an organization nowadays, it is difficult to link them with the anticipated benefits for an organization (Wade and Hulland, 2004). The resource-based theory (RBT) was developed to sustain that a company with resources has a competitive advantage that can be maintained for a long term to enhance performance. This is a key theoretical perspective that explains the relationship between IT capabilities and firm performance (Addas and Pinsonneault, 2007; Bharadwaj, 2000; Wade and Hulland, 2004). According to RBT, resources are static while our environment is dynamic. Taking into consideration that a company must always fit one’s surroundings, RBT alone cannot explain the impact of IT capabilities on firm performance (Huang et al., 2009).