Security subcultures in an organization - exploring value conflicts

Security culture is considered as an important factor in overcoming the problem with employees’ lack of compliance with Information Security (IS) policies. Within one organization different subcultures might transcribe to different and sometimes even conflicting, values. In this paper we study such value conflicts and their implications on IS management and practice. Shein’s (1999) model of organizational culture is used as a tool supporting analysis of our empirical data. We found that value conflicts exists between different security cultures within the same organization and that users anchor their values related to IS in their professional values. Thus our empirical results highlight value conflicts as an important factor to take into account when security culture is developed in an organization. Moreover, we found Shein’s model as a useful tool for analysis of value conflicts between different subcultures in an organization.

[1]  Eirik Albrechtsen,et al.  The information security digital divide between information security managers and users , 2009, Comput. Secur..

[2]  Gurpreet Dhillon,et al.  Using Actor Network Theory to Understand Information Security Management , 2010, SEC.

[3]  Srinivasan V. Rao,et al.  Information Security Cultures of Four Professions: A Comparative Study , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[4]  Corey Hirsch,et al.  Perceptual and Cultural Aspects of Risk Management Alignment: a case study , 2008 .

[5]  Steven Furnell,et al.  From culture to disobedience: Recognising the varying user acceptance of IT security , 2009 .

[6]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[7]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[8]  Carol W. Hsu,et al.  Frame misalignment: interpreting the implementation of information systems security certification in an organization , 2009, Eur. J. Inf. Syst..

[9]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[10]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[11]  E. Hall The Silent Language , 1959 .

[12]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[13]  Hennie A. Kruger,et al.  Value-focused assessment of ICT security awareness in an academic environment , 2007, Comput. Secur..

[14]  Rossouw von Solms,et al.  From policies to culture , 2004, Comput. Secur..

[15]  Gurpreet Dhillon,et al.  Principles of information systems security - text and cases , 2006 .

[16]  Mikko T. Siponen,et al.  An analysis of the traditional IS security approaches: implications for research and practice , 2005, Eur. J. Inf. Syst..

[17]  Izak Benbasat,et al.  The Case Research Strategy in Studies of Information Systems , 1987, MIS Q..

[18]  John J. Mauriel,et al.  A Framework for Linking Culture and Improvement Initiatives in Organizations , 2000 .

[19]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..

[20]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[21]  John M. Jermier,et al.  Organizational Subcultures in a Soft Bureaucracy: Resistance Behind the Myth and Facade of an Official Culture , 1991 .

[22]  Indira R. Guzman,et al.  The occupational culture of IS/IT personnel within organizations , 2008, DATB.

[23]  E. Schein The Corporate Culture Survival Guide , 1999 .

[24]  Gurpreet Dhillon,et al.  Information Systems Security Governance Research : A Behavioral Perspective , 2006 .

[25]  Ella Kolkowska,et al.  Values for Information System Security in an Academic Environment: A Pilot Study , 2006, AMCIS.

[26]  M. D. Myers,et al.  Qualitative Research in Business & Management , 2008 .

[27]  Joanne D. Martin,et al.  Organizational culture and counterculture: An uneasy symbiosis. , 1983 .

[28]  R. Solms,et al.  Cultivating an organizational information security culture , 2006 .

[29]  Mark Srite,et al.  Levels of Culture and Individual Behavior: An Investigative Perspective , 2005, J. Glob. Inf. Manag..

[30]  F. Nelson Ford,et al.  Information security: management's effect on culture and policy , 2006, Inf. Manag. Comput. Secur..

[31]  Emmanuelle Vaast,et al.  Danger is in the eye of the beholders: Social representations of Information Systems security in healthcare , 2007, J. Strateg. Inf. Syst..

[32]  C. Kluckhohn 2. VALUES AND VALUE-ORIENTATIONS IN THE THEORY OF ACTION: AN EXPLORATION IN DEFINITION AND CLASSIFICATION , 1951 .

[33]  Adam Marks Exploring universities' information systems security awareness in a changing higher education environment : a comparative case study research , 2007 .

[34]  Thomas H. Lewis The Silent Language , 1961 .

[35]  E. Mumford Values, Technology and Work , 1981, Sijthoff & Noordhoff Series on Information Systems.

[36]  Ella Kolkowska A Value Perspective on Information System Security : Exploring IS security objectives, problems and value conflicts , 2009 .