Cyber-security effect on organizational internal process: mediating role of technological infrastructure

Adopting the technologies among organizations comes with the continuous worries of protection and hacking. The idea of cyber-security has become over the years the main interest of many organizations, which depend on technologies in its operations, which requires them to pay extra attention to their technological infrastructure. The current study aims at examining the influence of cyber-security forces on organizational internal operations and the role of technological infrastructure in defining and controlling the level of protection that cyber-security has on organizational internal processes. Quantitative approach was adopted, and a questionnaire was utilized to collect the data from a convenient sample of 360 software engineers, network engineers, software testers, web developers, and technical support using a structured survey questionnaire, and analyzed using SPSS version 21. The results confirmed that cyber-security motivators (data growth, technology expansion, access to required resources, operational con-trol, and technical control) indirectly affect solid internal processes that are attributed to the consistency of technological infrastructure in an organization. The variable of ‘data growth’ appeared to be the most influential motivator on cyber-security strategies, as it scored a mean of 4.2661, which is the highest among all adopted variables and followed by the variable of ‘technical control’, which scored a mean of 4.1296. Accordingly, the study recommends that organizations should consider IT infrastructure as a main item within their risk management strategies to avoid unpredicted risks and attacks.


INTRODUCTION
Nowadays society runs largely on technology, as it depends on it for commerce, industry, and interaction. This dependency of society on technology has made cyber to be firmly entrenched in people's mindset and language. While the use of the technology or cyber/internet has led to significant advances in many areas, it has exposed individuals and organizations to a host of security risks emanating from cyber-attacks via digital interfaces. Examples of these cyber-attacks include data breaches on personal and corporate devices, the virus that attacks computer infrastructure, and denial-of-service (DoS) attacks on computer networks. Other common forms of cyber acts that can potentially cause harm to an organization include sabotaging of systems to compromise the integrity of the systems and services, copying of customers' data for selling on dark web, and theft of corporate secrets. As emphasized by Agrafiotis, Nurse, Goldsmith, Creese, and Upton (2018), these cyber breaches, attacks, and threats have increasingly become a key concern for many organizations and are now at the center of organizational cyber-risk and security discussion. A report

LITERATURE REVIEW
Cyber-security was defined by Schatz, Bashroush, and Wall (2017, p. 64) as "the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyber-environment and organization and assets." As it is known, having internet means to have open doors to the world; those open doors do not only bring us information, developments, and enhancements; it also brings us risks, dangers, and pitfalls that can erupt and cause much damage. Vishik, Matsubara, and Plonk (2016) defined cyber-security as "an activity that protects the human and financial resources associated with ICTs, ensures the potential to reduce losses and damages in the event of risks and threats, and allows the situation to be restored as quickly as possible, so that the wheel does not stop." The idea of cyber-security came in accordance with the concept of cyber-attacks and piracy, which appeared on the internet, resembling itself as a ghost that threatens online data and information, in addition to risking the security of transactions that take place online (Whyte & Mazanec, 2018). Priyadarshini (2018) argued that cyber-security is considered to be an important pillar of information security not only at the organization-al level but also at the level of countries, as it includes e-government security.
In general, cyber-security is considered to be one of the most important issues that are attracting the attention of the countries. Nowadays, many countries are putting the concept of cyber-security on its agenda as a reference to the importance of this issue and the in-reversed negative influence that this problem may bring with it (Efthymiopoulos, 2016). Many scholars (Abu-Taieh, Al Faries, Alotaibi, & Aldehim, 2018; Keplinger, 2018; Dewal, Narula, Jain, & Baliyan, 2018) have stated that cyber-security is not only tools and software; it is more of an ideology that organizations embrace to spread the culture of cyber-security among its individuals.
On the other hand, Elamiryan and Bolgov (2018) noted that cyber-crimes can be committed either by people outside the organization who infiltrate the computer system (often through networks) or by people within the organization who have access to the system, but who abuse the system for various reasons. Orkand Consulting stated that losses from computer crime are estimated at US$ 1.5 million for computerized banking companies in the United States. On the other hand, the National Center for Computer Crime Data in Los Angeles estimates that 70% of recorded cyber-crimes occurred from within, i.e., by those working within organizations management of information systems in particular.
Protecting the organizational information and supporting its data with the needed cyber-security can, with no doubt, be considered to be an expensive and hectic process.
Over time, the continuous operations on an organization's data begin to increase in accordance with the on-going operating life. The organization begins to collect the data that are related to many aspects of organizational processes. Udo et al. (2018) noted that this expansion of the data in the organizations increases the force towards developing risks in the organizational internal process, specifically if the organization was based on the high end of technological advancement. Narukonda and Rowland (2018) stated that online operating organization and those working on the internet, like online trading and communication, are usually more exposed to cyber-attacks compared to those organizations, which are away from technology. Pernik (2016) noted that the expansion of technology is the first fore towards increasing hazards and risks of cyber-attacks. He argued that the expansion of technology opens different gates of information, which increases the flow and also jeopardizes the organization into a realm of data leading it to the state of sensitivity technology-wise. This idea, according to Horowitz et al. (2018), is considered to be one of the most sensitive forces of security issues. The access of different personnel to information should be based on a strict approach that can control those who have access and who do not. On the other hand, Moreira, Molina, Lazaro, Jacob, and Astarloa (2016) noted that free access to data within an organization to its personnel makes these data accessible for the outsider. They meant that if an organization was not well-protected, then it would be easier for external parties to perform any type of attacks on its systems and exposing it to the dangers of hacking and piracy.
The role of operational control is very important in this field. It refers to the group of processes that are manifested in the internal environment of an organization and which, through control, can be managed and handled according to what is needed and required (Poresky, Andreades, Kendrick, & Peterson, 2017). From the perspective of Udo, Bagchi, and Kirs (2018), it was noted that operational control is basically sourced from individuals who have to enjoy a high level of awareness regarding security. This awareness is one of the basic needs among individuals since they are the first and only operator of technological equipment and tools.
Rasekh, Hassanzadeh, Mulchandani, Modi, and Banks (2016), on the other hand, argued that operational control is sourced from plans and strategies that an organization embraces through its operating times. When an organization decides to adopt the technology of different types, it should put into the perspective of its strategies that cyber-attacks and different cyber hazards come with the package. There is no such thing as gaining advantages and being harmed from the disadvantages, based on which the disadvantages of technologies are one of the aspects that can be controlled through the organizational operational process.
The technical control is sourced here through activating all knowledge that employees have in references to cyber-attacks and protection. Not to mention the role of technological infrastructure that also plays a role in defining the nature of operational control and awareness of employees at the security level. Poresky et al. (2017) added that the technical control appears not only at the level of personnel, but also at the level of tools, programs, and software that an organization embraces to protect itself from cyber-attacks and forms a well-built framework that can work as a shield of cyber-security for organization.
A cyber-security system would not be valid alone; at the end, it is nothing more than a program or software that needs other factors to be activated and perform in the best way possible. (2014) noted that there are main components that when gathered can formulate the overall performance of cyber-security systems in the organizations. They noted that there are four main components, which are: technological solutions, processes, methods, and human engagement. Rasekh et al. (2016) noted that technological infrastructure refers to the set of means and capabilities normally coordinated by a centralized information organization. For example, a telecommunications network operated by a particular enterprise and shared by many commercial and service organizations constitutes a common infrastructure. Laws and customs constitute mechanisms that link the exploitation of both physical and mental compounds to the IT architecture. The common facilities for IT architecture are the embodiment of the architecture and the realization of practical applications.
Also, Rasekh et al. (2016) added that the degree of sophistication that the technological infrastructure of an organization depends on and the idea of infrastructure is very important in any organization that seeks to depend on technology to operate. It plays a very important role in defining the degree of security that this organization enjoys in terms of protection, speed, and final results. A week infrastructure, specifically in technology, cannot be useful for the organization; on the contrary, it can be seen as a threat to organizational core into a weak performance in terms of technology.
Technological infrastructure rules dictate how resources are acquired, managed, or exploited. Working groups may have building and development software with rules that dictate the use of specific physical capabilities such as programming languages (C++, Pascal). In this example, IT standards provide a guideline for determining both the use of mental capabilities in the software development method and the use of specific physical capabilities (programming languages) in the application software development process (Göztepe, Kılıc, & Kayaalp, 2014).
The employees within the field of IT are among the factors that deeply influence the level of cyber-security in an organization. It is normally taken for granted that employees within the field of IT have to be highly trained and experienced in the technology and its tools. This experience would not be valid or useful unless those employees enjoy a high level of awareness regarding the importance of security, protection, and technological hazards that accompany IT-based organizations (Pfleeger, Sasse, & Furnham, 2014).
Considering staff and employees as a force for cyber-security is seen as one of the most important issues that should be addressed by the management. Some aspects of cyber-security require high level of alert from employees in order for the security to be valid within the organization. This requires the employment of highly experienced individuals in the field (Dewal et al., 2018). Göztepe et al. (2014) noted that the operating software is of great importance. An organization should pay extra attention to the nature and approach of software it uses to guarantee the best and the strongest protection for its technological advancements used in its internal operations. Software is usually supplied with suitable protective programs that enable it to work in a safe environment. The organization should be aware of the importance of protected software before installing it in its system due to the massive fragility that can be brought through uncensored software.
The network is one of the important aspects in the field of cyber-security. A network is mainly the first gate an attacker may take to attack. In that sense, the network on an organization should be built on a strong technological infrastructure that helps it work on the safe level rather than exposing the organization to attacks that may endanger its existence (Diego, 2019).

CONCEPTUAL SCHEME AND HYPOTHESES
Stafford, Deitz, and Li (2018) noted to the importance of internal processes in identifying cyber-security and mainly internal audit. Stafford et al.
(2018) claimed that internal processes like monitoring, audit, and controlling are among the important factors that shape the way cyber-security is in an organization. On the other hand, one of the leading consulting organizations around the world "Deloitte" mentioned in one of its annual reports that cyber-security is mainly a culture that spread in the organization in the shape of tools, strategies, plans, and approaches. Deloitte (2015) stated that following the security-based internal processes can help in defining the concept of cyber-attacks and piracy in a clearer approach and in building a secure environment. Generally speaking, the more technology and internet are used, the more there is a chance to expose the organization for cyber-security issues. Many scholars spoke of such forces and risks, which increase cyber-security risks, such as Yasin, Liu, Li, Wang, and Zowghi (2018) who argued that operational control and technical control and are main motivators for cyber-security risks, while Pak Nejad et al. (2014) argued that data growth, technology expansion and access to required resources can enhance the chances of cyber-risk.
Based on the above argument, the current study seeks to examine the influence of cyber-security forces on internal operational processes within the organization and the role of technological infrastructure in controlling such forces and their implications on internal processes.
Based on the above conceptual framework supported by the existent literature, it was hypothesized that: 1. Cyber-security motivators positively and statistically significantly help create solid internal processes.

Sample
Data were collected using a convenient sampling technique by selecting a sample of 360 software engineers, network engineers, software testers, web developers, and technical support participants from engineering, electrical and information technology sectors in Jordan.

Data collection tool
Quantitative data used in the present study were collected using a structured survey questionnaire derived from past studies and modified to reflect the context of the present study. The questionnaire consisted of closed-ended questions scored on the Likert scale ranging from 1 to 5, with 1 representing strongly disagree, 2 representing disagree, 3 representing neutral, 4 representing agree, and 5 representing strongly agree.
The questionnaire encompassed two sections. The first section covered the demographic variables, namely age, gender, experience, and position. The second part of the questionnaire statements was   A total of 400 questionnaires were distributed using drop and pick method to 400 participants who were software engineers, network engineers, software testers, web developers, and technical support. A total of 360 participants filled the questionnaires and returned them, representing a response rate of 90%.

Data analysis
Data analysis was undertaken using SPSS version 21. Data were processed into descriptive statistics (mean, standard deviation, mode, and median). Path analysis was undertaken using IBM SPSS Amos 21.0 program.
A reliability test was undertaken using SPSS's Cronbachs' alpha, which measures the internal consistency of a construct. The result showed a value of 0.942 for all items, as well as alpha for each variable is greater than accepted percent 0.60, which is a reasonable value, indicating the tool consistency that enhanced its use for the study.

RESULTS
Frequency and percentages were used to describe the following sample characteristics. Table 1 shows that the majority of the sample ranged between 25-30 years and 31-36 years, forming 36.7% and 38.1% of the total sample, respectively, while those within the age range (43+) form 8.1% of the sample.    From the descriptive statistics as revealed in Table 5, participants either agree (value 4) or strongly agree (value 5) (i.e., a mean of above 3) to questionnaire statements regarding data growth, technological expansion, access to the required resources, operational control, technical control, solid internal processes, and technological infrastructure. This indicates that they approve (4) or strongly approve the statements relating to data growth, technological expansion, access to the required resources, operational control, technical control, solid internal processes, and technological infrastructure.
As can be inferred in Table 6, the statements regarding data growth, technology expansion, re-quired resources, operational control, technical control, solid internal processes, and technological infrastructure are approved. This is based on the view that the mean of responses ranged between 3 and 5 as scored on the Likert scale, which indicates an approval (agree) or strong approval (5) of the statements captured in the questionnaire. Based on path analysis, the results are found and presented in Table 7. To test the structural model fit, the value of X2 = 5.221 is not significant at 0.05, GFI = 0.9920 is an excellent indicator, the CFI = 0.981 is an excellent value, RAMSEA = 0.065 is an acceptable value, which means the structural model is fit.
To test the structural model fit, the value of X2 = 5.221 is not significant at 0.05, GFI = 0.992 is an excellent indicator, the CFI = 0.981 is an excellent value, RAMSEA = 0.065 is an acceptable value, which means the structural model is fit. Table 8 shows that the study hypotheses were supported.
The results of the analysis presented in Table 7 show that C.R. values are significant at 0.05 level, which means: • cyber-security motivators positively and statistically significantly help create solid internal processes; • cyber-security motivators positively and statistically significantly influence technological infrastructure; • technological infrastructure positively and statistically significantly influences solid internal processes.
Also, it was found that standardized indirect effect of technological infrastructure was significant at level 0.05, which means technological infrastructure mediates the relationship between cyber-security motivators and solid internal processes, as shown in Figure 2.  Note: ** significant at 0.05 level.

DISCUSSION
As was seen from previous section, which presented the results of analyzing the collected research data, it appeared that all presented hypotheses were accepted. The relationship between cyber-security motivators and solid internal processes is basically nourished and supported through the well-built technological infrastructure. The analysis showed that, based on the respondents' answers, technological infrastructure is one of the most important aspects that helps create a valid theatre for supporting a good level of cyber-security. From the analysis, it was seen that data growth is the most influential cyber-security motivator for solid internal processes, as it scored a mean of 4.2661, which indicate that the more data there is, the more intensive cyber-security should be, as the organization would be more exposed to hazardous attacks within the network. In the 2nd tank of influence came technical control, scoring a mean of 4.1296, which also appeared to be influential in managing the technical issues and plans for the cyber-security strategies, leading to a better fit of the organization and its internal processes.
The study results came to be intact with many studies that focused on the aforementioned variables like Haq (2019) who focused on the data expansion and growth and its role in increasing the exposure of the organization to attacks and dangers within the network. Also, Miron and Muita (2014) focused on the fact that many cyber-security motivators may appear as a hazard for the organizational internal process. Those motivators may vary from the widely famous motivators to the least known ones, which the organization might not be familiar with. However, the authors supported the fact that a well-built technological infrastructure may play a role in increasing the level of security within the organization and decrease levels of exposure towards many types of motivators. This was supported by the current study and appeared through the tested hypotheses, which pointed out the nature of the relationship between cyber-security, internal process, and the delegation of technological infrastructure. The results also supported a study by Stafford et al. (2018) Figure 2. Chart for path analysis results when they argued that in the current time, there are rarely an organization that can work excluded from internet and technology, which complicates its journey to achieve the set goals and, at the same time, collects the data that are massive and may expose the organization to different types of risks and hazards based on the availability of such data to other parties.

CONCLUSION
Based on the present study, cyber-security motivators positively and statistically significantly help create solid internal processes; cyber-security motivators positively and statistically significantly influence technological infrastructure; and technological infrastructure positively and statistically significantly influences solid internal processes.
Based on the results and conclusion, the current study recommended the following: increase the awareness of staff within an organization regarding the importance of infrastructure and the need to work on building it on a solid base. Continuous maintenance and monitoring of technical support is the main issue in managing any gaps that may appear and utilized by attackers and cyber creepers. Before adopting new technology, the organization should examine and test their current technology to find out the suitability of adopting new technology and, at the same time, avoid any possible risks for the organization.