Abstract
An increasing number of information security breaches in organisations presents a potentially serious threat to the privacy and confidentiality of personal and commercially sensitive data. Recent research shows that human beings are the weakest link in the security chain and the root cause of a great portion of security breaches. In the late 1990’s, a new phenomenon called “information security culture” has emerged as a measure to promote security-cautious behaviour of employees in organisational settings. The concept of information security culture is relatively new and research on the subject is still evolving. This research-in-progress paper contributes to our understanding of this very important topic by offering a conceptualisation of information security culture. Additionally, this study indentifies factors that instigate adverse employee behaviour in organisations.
Chapter PDF
Similar content being viewed by others
Keywords
References
Pope, C., Edwards, E.: Over 1.5 million affected by Ennis data breach. The Irish Times (2013), http://www.irishtimes.com/news/consumer/over-1-5-million-affected-by-ennis-data-breach-1.1592128
Da Veiga, A., Eloff, J.H.P.: A framework and assessment instrument for information security culture. Computers & Security 29, 96–207 (2010)
Von Solms, B.: Information Security – The Third Wave? Computers & Security 19, 615–620 (2000)
Lim, J.S., Chang, S., Maynard, S., Ahmad, A.: Exploring the Relationship between Organizational Culture and Information Systems Security Culture. In: Proceedings of the 7th Australian Information Security Management Conference, pp. 87–97. Edith Cowan University (2009)
Kuusisto, T., Ilvonen, I.: Information security culture in small and medium size enterprises. Frontiers of E-Business Research (2003), http://www.ebrc.info/kuvat/431-439.pdf
Boss, S.R., Kirsch, L.J., Angermeier, I., Shingler, R.A., Ross, R.W.: If Someone Is Watching, I’ll Do What I’m Asked: Mandatoriness, Control, and Information Security. European Journal of Information Systems 18, 151–164 (2009)
Van Niekerk, J.F., von Solms, R.: Information security culture: A management perspective. Computers & Security 29, 476–486 (2010)
Ajzen, I.: Attitudes, Personality, and Behavior, 2nd edn. Open University Press, Berkshire (2005)
Ray, C.A.: Corporate Culture: The Last Frontier of Control? Journal of Management Studies 23, 287–297 (1986)
Schein, E.H.: Organizational Culture and Leadership: The Dynamic View. Jossey-Bass, San Francisco (1985)
Malcomson, J.: What is security culture? Does it differ in content from general organisational culture? In: Proceedings of the 43rd Annual International Carnahan Conference on Security Technology, pp. 361–366 (2009)
Alnatheer, M., Chan, T., Nelson, K.: Understanding and measuring information security culture. In: Proceedings of Pacific Asia Conference on Information Systems (2012)
Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing employee compliance with information security policies: The critical role of top management and organizational culture. Decision Sciences 43, 615–660 (2012)
Dinev, T., Goo, J., Hu, Q., Nam, K.: User behaviour towards protective information technologies: the role of national cultural differences. Information Systems Journal 19, 391–412 (2009)
Hofstede, G.: Culture’s Consequences: International Differences in Work-related Values. Sage Publications, Thousand Oaks (2001)
Hofstede, G.: Culture’s Consequences: International Differences in Work-related Values. Sage Publications, Thousand Oaks (1980)
Spector, P.E.: Behavior in Organizations as a Function of Employee’s Locus of Control. Psychological Bulletin 91, 482–497 (1982)
Kilmann, R.H.: Managing Your Organization’s Culture. Nonprofit World Report 3, 12–15 (1985)
Porter, L.W., McLaughlin, G.B.: Leadership and the organizational context: Like the weather? The Leadership Quarterly 17, 559–576 (2006)
Kraemer, S., Carayon, P.: Computer and Information Security Culture: Findings from Two Studies. In: Proceedings of the Human Factors and Ergonomics Society 49th Annual Meeting, pp. 1483–1487 (2005)
Schlienger, T., Teufel, S.: Information security culture: The socio-cultural dimension in information security management. In: Proceedings of the IFIP TCII 17th International Conference on Information Security, pp. 191–201 (2002)
De Long, D., Fahey, L.: Diagnosing cultural barriers to knowledge management. Academy of Management Executive 14, 113–127 (2000)
Wallach, E.D.: Individuals and Organizations: The Cultural March. Training and Development Journal 37, 29–36 (1983)
Schwartz, S.H.: Universals in the content and structure values: Theoretical advances and empirical tests in 20 countries. Advances in Experimental Social Psychology 25, 1–65 (1992)
Leidner, D.E., Kayworth, T.: Review: A review of culture in information systems research: Toward a theory of information technology culture conflict. MIS Quarterly 30, 357–399 (2006)
Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T., Vance, A.: What Levels of Moral Reasoning and Values Explain Adherence to Information Security Rules? An Empirical Study. European Journal of Information Systems 18, 126–139 (2009)
Lok, P., Crawford, J.: The effect of organisational culture and leadership style on job satisfaction and organisational commitment: A cross-national comparison. Journal of Management Development 23, 321–338 (2004)
Shane, S., Venkataraman, S., MacMillan, I.: Cultural Differences in Innovation Championing Strategies. Journal of Management 21, 931–952 (1995)
Vroom, C., von Solms, R.: Towards Information Security Behavioural Compliance. Computers & Security 23, 191–198 (2004)
Clark, V.L.P., Creswell, J.W.: The Mixed Methods Reader. Sage Publications, Thousand Oaks (2008)
Maykut, P., Morehouse, R.: Beginning Qualitative Research: A Philosophic and Practical Guide. The Falmer Press, London (1994)
Glaser, B.G., Stauss, A.L.: The Discovery of Grounded Theory. Aldine, Chicago (1967)
Lincoln, Y., Guba, E.: Naturalistic Inquiry. Sage Publications Inc., Beverly Hills (1985)
Taylor, S.J., Bogdan, R.: Introduction to Qualitative Research Methods: The Search for Meanings. Wiley, New York (1984)
Gordon, L.A., Loeb, M.P.: The Economics of Information Security Investment. ACM Transactions on Information and System Security 5, 438–457 (2002)
Joshi, J.B.D., Aref, W.G., Ghafoor, A., Spafford, E.H.: Security models for Web-based Applications. Communications of the ACM 44 (2001)
Straub, D., Loch, K., Evaristo, R., Karahanna, E., Strite, M.: Toward a theory-based measurement of culture. Journal of Global Information Management 10, 13–23 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Connolly, L., Lang, M., Tygar, D. (2014). Managing Employee Security Behaviour in Organisations: The Role of Cultural Factors and Individual Values. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds) ICT Systems Security and Privacy Protection. SEC 2014. IFIP Advances in Information and Communication Technology, vol 428. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-55415-5_35
Download citation
DOI: https://doi.org/10.1007/978-3-642-55415-5_35
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-55414-8
Online ISBN: 978-3-642-55415-5
eBook Packages: Computer ScienceComputer Science (R0)