Investigation of Employee Security Behaviour: A Grounded Theory Approach

  • Lena ConnollyEmail author
  • Michael Lang
  • J. D. Tygar
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 455)


At a time of rapid business globalisation, it is necessary to understand employee security behaviour within diverse cultural settings. While general deterrence theory has been extensively used in Behavioural Information Security research with the aim to explain the effect of deterrent factors on employees’ security actions, these studies provide inconsistent and even contradictory findings. Therefore, a further examination of deterrent factors in the security context is required. The aim of this study is to contribute to the emerging field of Behavioural Information Security research by investigating how a combination of security countermeasures and cultural factors impact upon employee security behaviour in organisations. A particular focus of this project is to explore the effect of national culture and organisational culture on employee actions as regards information security. Preliminary findings suggest that organisational culture, national culture, and security countermeasures do have an impact upon employee security behaviour.


Employee security behaviour Security countermeasures Organisational culture National culture 


  1. 1.
    Spears, J.L., Barki, H.: User participation in information systems security risk management. MIS Quarterly 34(3), 503–522 (2010)Google Scholar
  2. 2.
    Posey, C., Bennett, R., Roberts, T.L.: Understanding the mindset of the abusive insider: an examination of insiders’ causal reasoning following internal security changes. Computers & Security 30(6–7), 486–497 (2011)CrossRefGoogle Scholar
  3. 3.
    D’Arcy, J., Hovav, A., Galletta, D.: User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research 20(1), 1–20 (2009)CrossRefGoogle Scholar
  4. 4.
    Lee, S.M., Lee, S.G., Yoo, S.: An integrative model of computer abuse based on social control and general deterrence theories. Information & Management 41(6), 707–718 (2004)MathSciNetCrossRefGoogle Scholar
  5. 5.
    Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing employee compliance with information security policies: the role of top management and organizational culture. Decision Sciences 43(4), 615–660 (2012)CrossRefGoogle Scholar
  6. 6.
    Hu, Q., Xu, Z., Dinev, T., Ling, H.: Does deterrence work in reducing information security policy abuse by employees? Communications of the ACM 54(6), 54–60 (2011)CrossRefGoogle Scholar
  7. 7.
    Ifinedo, P.: Understanding information systems security policy compliance: An integration of the theory of planned behavior and the protection motivation theory. Computers & Security 31, 83–95 (2012)CrossRefGoogle Scholar
  8. 8.
    D’Arcy, J., Herath, T.: A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems 20(6), 643–658 (2011)CrossRefGoogle Scholar
  9. 9.
    Son, J.-Y.: Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information & Management 48(7), 296–302 (2011)CrossRefGoogle Scholar
  10. 10.
    Pavlou, P.A., Chai, L.: What drives electronic commerce across cultures? A cross-cultural empirical investigation of the theory of planned behavior. Journal of Electronic Commerce Research 3(4), 240–253 (2002)Google Scholar
  11. 11.
    Dinev, T., Goo, J., Hu, Q., Nam, K.: User behaviour towards protective information technologies: the role of national culture differences. Information Systems Journal 19(4), 391–412 (2009)CrossRefGoogle Scholar
  12. 12.
    Hofstede, G.: Culture’s Consequences: International Differences in Work-related Values. Sage Publications, Thousand Oaks (1980)Google Scholar
  13. 13.
    Ali, M., Brooks, L.: Culture and IS: National Cultural Dimensions within IS Discipline. In: Proceedings of the 13th Annual Conference of the UK Academy for Information Systems, pp.1–14 (2009)Google Scholar
  14. 14.
    Kroeber, A.L., Kluckhohn, C.: Culture: A critical review of concepts and definitions. Peabody Museum, Cambridge (1952)Google Scholar
  15. 15.
    Baker, E.L.: Managing organizational culture. Management Review 69, 8–13 (1980)Google Scholar
  16. 16.
    DeLong, D.W., Fahey, L.: Diagnosing cultural barriers to knowledge management. Academy of Management Executive. 14(4), 113–127 (2000)Google Scholar
  17. 17.
    Mead, M.: National character. In: Tax, S. (eds.) Anthropology Today, pp. 396–421. University of Chicago Press, Chicago (1962)Google Scholar
  18. 18.
    Triandis, H.C.: The Analysis of Subjective Culture. Wiley, New York (1972)Google Scholar
  19. 19.
    Kilmann, R.H.: Managing your organization’s culture. The Nonprofit World Report 3(2), 12–15 (1985)Google Scholar
  20. 20.
    Phillips, M.E.: Industry mindsets: Exploring the cultures of two macro-organizational setting. Organization Science 5(3), 363–383 (1994)CrossRefGoogle Scholar
  21. 21.
    Hofstede, G.: Culture’s Consequences. Comparing Values, Behaviors, Institutions, and Organizations Across Nations, 3rd edn. Sage Publications, Thousand Oaks (2001)Google Scholar
  22. 22.
    Flores, W.R., Antonsen, E., Edstedt, M.: Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers & Security 43, 90–110 (2014)CrossRefGoogle Scholar
  23. 23.
    Zhang, D., Lowry, P.B., Zhou, L., Fu, X.: The Impact of Individualism-Collectivism, Social Presence, and Group Diversity on Group Decision Making under Majority Influence. Journal of Management Information Systems 23(4), 53–80 (2007)CrossRefzbMATHGoogle Scholar
  24. 24.
    Mintzberg, H.: Structure in fives: Designing effective organizations. Prentice-Hall Int., Englewood Cliffs (1983)Google Scholar
  25. 25.
    Besnard, D., Arief, B.: Computer security impaired by legitimate users. Computers & Security. 23(3), 253–264 (2004)CrossRefGoogle Scholar
  26. 26.
    Beccaria, C.: On Crimes and Punishment. Macmillan, New York (1963)Google Scholar
  27. 27.
    Herath, T., Rao, H.: Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decision Support Systems 47(2), 154–165 (2009)CrossRefGoogle Scholar
  28. 28.
    Siponen, M., Vance, A.: Neutralization: new insights into the problems of employee information systems security policy violations. MIS Quarterly 46(5), 487–502 (2010)Google Scholar
  29. 29.
    Matavire, R., Brown, I.: Profiling grounded theory approaches in information systems research. European Journal of Information Systems 22(1), 119–129 (2013)CrossRefGoogle Scholar
  30. 30.
    Maykut, P., Morehouse, R.: Beginning Qualitative Research: A Philosophic and Practical Guide. The Falmer Press, London (1994)Google Scholar
  31. 31.
    Lincoln, Y., Guba, E.: Naturalistic Inquiry. Sage Publications, Beverly Hills (1985)Google Scholar
  32. 32.
    Wallach, E.J.: Individuals and organizations: The cultural match. Training and Development Journal 37(2), 28–36 (1983)Google Scholar
  33. 33.
    Leidner, D.E., Kayworth, T.: Review: A review of culture in information systems research: Toward a theory of information technology culture conflict. MIS Quarterly 30, 357–399 (2006)Google Scholar
  34. 34.
    Goffee, R., Jones, G.: What holds the modern company together? Harvard Business Review 74(6), 133–148 (1996)Google Scholar
  35. 35.
    Cooke, R.A., Lafferty, E.: Organizational Culture Inventory. Human Synergistics, Plymouth (1987)Google Scholar
  36. 36.
    Denison, D.R., Mishra, A.K.: Toward a theory of organizational culture and effectiveness. Organization Science 6(2), 204–223 (1995)CrossRefGoogle Scholar
  37. 37.
    Ouchi, W., Theory, Z.: How American business can meet the Japanese challenge. Addison-Wesley Publishing Company, Reading (1981)Google Scholar
  38. 38.
    Shrednick, H.R., Stutt, R.J., Weiss, M.: Empowerment: key to is world-class quality. MIS Quarterly 16(4), 491–505 (1992)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  1. 1.Business Information SystemsNational University of Ireland GalwayGalwayIreland
  2. 2.Electrical Engineering and Computer ScienceUniversity of California, BerkeleyBerkeleyUSA

Personalised recommendations