The "Right" recipes for security culture: a competing values model perspective

Purpose: This study argues that the effect of perceived organizational culture on the formation of security-related subjective norms and the level of compliance pressure will vary based on how the employees perceive their organization’s cultural values. These perceptions reflect on the assumptions and principles that organizations use to guide their security-related behaviors. To make these arguments, we adopt the competing values model (CVM), which is a model used to understand the range of organizational values and resulting cultural archetypes. Design: This study conducted a survey of working professionals in the banking and higher education industries and used Partial Least Squares (PLS)-Structural Equation Model (SEM) to analyze the data. In a series of post-hoc analyses, we ran a set of multi-group analyses to compare the perceived organizational cultural effects between the working professionals in both industries. Findings: Our study reveals that perceived organizational cultures in favor of stability and control promoted more positive security-related behaviors. However, the different effects were more pronounced when comparing the effects between the working professionals in both industries. Originality: This study is one of the few that examines which cultural archetypes are more effective at fostering positive security behaviors. These findings suggest that we should be cautious about generalizing the effects of organizational culture on security-related actions across different contexts and industries.

[1]  Sun-Jen Huang,et al.  Exploring the relationship between organizational culture and software process improvement deployment , 2010, Inf. Manag..

[2]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[3]  Agata McCormac,et al.  More than the individual: Examining the relationship between culture and Information Security Awareness , 2020, Comput. Secur..

[4]  Vidal Díaz de Rada Igúzquiza,et al.  Internet, Phone, Mail and Mixed-Mode Surveys: The Tailored Design Method. Don A. Dillman, Jolene D. Smyth y Leah Melani Christian. (New Jersey, John Wiley and Sons, 2014) , 2016 .

[5]  Michèle Paulin,et al.  External effectiveness of service management A study of business‐to‐business relationships in Mexico, Canada and the USA , 1999 .

[6]  Nico Martins,et al.  Defining and identifying dominant information security cultures and subcultures , 2017, Comput. Secur..

[7]  Merrill Warkentin,et al.  Can Secure Behaviors Be Contagious? A Two-Stage Investigation of the Influence of Herd Behavior on Security Decisions , 2020, J. Assoc. Inf. Syst..

[8]  C. Fornell,et al.  Evaluating Structural Equation Models with Unobservable Variables and Measurement Error , 1981 .

[9]  Michael D. Pfarrer,et al.  Perception Is Reality: How CEOs’ Observed Personality Influences Market Perceptions of Firm Risk and Shareholder Returns , 2020 .

[10]  Areej AlHogail,et al.  Design and validation of information security culture framework , 2015, Comput. Hum. Behav..

[11]  Scott B. MacKenzie,et al.  Working memory: theories, models, and controversies. , 2012, Annual review of psychology.

[12]  Raymond F. Zammuto,et al.  The competing values framework: Understanding the impact of organizational culture on the quality of work life , 2001 .

[13]  Marlien Herselman,et al.  Defining organisational information security culture - Perspectives from academia and industry , 2020, Comput. Secur..

[14]  James Michael Stewart,et al.  ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide , 2018 .

[15]  K. Cameron,et al.  Diagnosing and Changing Organizational Culture: Based on the Competing Values Framework , 1999 .

[16]  Detmar W. Straub,et al.  A Practical Guide To Factorial Validity Using PLS-Graph: Tutorial And Annotated Example , 2005, Commun. Assoc. Inf. Syst..

[17]  J. D. Jong,et al.  Psychological contracts in self-directed work teams , 2017 .

[18]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[19]  T. Chamorro‐Premuzic,et al.  THE ENTREPRENEURIAL ORGANIZATION: THE EFFECTS OF ORGANIZATIONAL CULTURE ON INNOVATION OUTPUT , 2018, Consulting Psychology Journal: Practice and Research.

[20]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[21]  Juhani Iivari,et al.  The Relationship Between Organisational Culture and the Deployment of Systems Development Methodologies , 2001, CAiSE.

[22]  Shuchih Ernest Chang,et al.  Exploring organizational culture for information security management , 2007, Ind. Manag. Data Syst..

[23]  Lori N. K. Leonard,et al.  Evaluating the Core and Full Protection Motivation Theory Nomologies for the Voluntary Adoption of Password Manager Applications , 2019, AIS Trans. Replication Res..

[24]  K. Cameron,et al.  Diagnosing and changing organizational culture , 1999 .

[25]  Jennifer A. Chatman,et al.  Paradigm lost: Reinvigorating the study of organizational culture , 2016 .

[26]  Mikko T. Siponen,et al.  Toward a Unified Model of Information Security Policy Compliance , 2018, MIS Q..

[27]  Pedro Solana González,et al.  Organizational practices as antecedents of the information security management performance , 2019, Inf. Technol. People.

[28]  Mike Chiasson,et al.  Taking Industry Seriously in Information Systems Research , 2005, MIS Q..

[29]  Michele J. Gelfand,et al.  Culture and accountability in organizations: Variations in forms of social control across cultures , 2004 .

[30]  IivariJuhani,et al.  The relationship between organizational culture and the deployment of systems development methodologies , 2007 .

[31]  A. Kinicki,et al.  A meta-analytic test of organizational culture's association with elements of an organization's system and its relative predictive validity on organizational outcomes. , 2019, The Journal of applied psychology.

[32]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[33]  Jeffrey D. Yergler Organizational Culture and Leadership, 4th ed. , 2012 .

[34]  Vanessa Ratten,et al.  The effect of cybercrime on open innovation policies in technology firms , 2019, Inf. Technol. People.

[35]  Gudela Grote,et al.  Routine interdependencies as a source of stability and flexibility. A study of agile software development teams , 2016, Inf. Organ..

[36]  Joachim Åström,et al.  Perceptions of organizational culture and value conflicts in information security management , 2018, Inf. Comput. Secur..

[37]  Stefan Tams,et al.  Moving cultural information systems research toward maturity: A review of definitions of the culture construct , 2013, Inf. Technol. People.

[38]  Tom L. Roberts,et al.  The Impact of Organizational Commitment on Insiders’ Motivation to Protect Organizational Information Assets , 2015, J. Manag. Inf. Syst..

[39]  K. Cameron Effectiveness as Paradox: Consensus and Conflict in Conceptions of Organizational Effectiveness , 1986 .

[40]  Princely Ifinedo,et al.  Information systems security policy compliance: An empirical study of the effects of socialisation, influence, and cognition , 2014, Inf. Manag..

[41]  John W. Fleenor,et al.  Personality and organizations: A test of the homogeneity of personality hypothesis. , 1998 .

[42]  Adel Yazdanmehr,et al.  Peers matter: The moderating role of social influence on information security policy compliance , 2020, Inf. Syst. J..

[43]  Randolph B. Cooper,et al.  Implications of the competing values framework for management information systems , 1993 .

[44]  Patrick Y. K. Chau,et al.  The effects of moral disengagement and organizational ethical climate on insiders' information security policy violation behavior , 2019, Inf. Technol. People.

[45]  Beryl Hesketh,et al.  Power Distance, Individualism/Collectivism, and Job-Related Attitudes in a Culturally Diverse Work Group , 1994 .

[46]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[47]  Amy C. Edmondson,et al.  Self-managing organizations: Exploring the limits of less-hierarchical organizing , 2017 .

[48]  Insoo Son,et al.  Exploring the role of intrinsic motivation in ISSP compliance: enterprise digital rights management system case , 2020, Inf. Technol. People.

[49]  M. Glynn,et al.  How New Market Categories Emerge: Temporal Dynamics of Legitimacy, Identity, and Entrepreneurship in Satellite Radio, 1990–2005 , 2010 .

[50]  Wynne W. Chin The partial least squares approach for structural equation modeling. , 1998 .

[51]  Tor Guimaraes,et al.  Corporate culture, absorptive capacity and IT success , 2005, Inf. Organ..

[52]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[53]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[54]  Joseph F. Hair,et al.  When to use and how to report the results of PLS-SEM , 2019, European Business Review.

[55]  Ping Wang,et al.  Chasing the Hottest IT: Effects of Information Technology Fashion on Organizations , 2010, MIS Q..

[56]  Hyung Jin Kim,et al.  Do employees in a "good" company comply better with information security policy? A corporate social responsibility perspective , 2019, Inf. Technol. People.

[57]  Elizabeth J. Davidson,et al.  Talking about Technology: The Emergence of a New Actor Category Through New Media , 2013, MIS Q..

[58]  Andrew Hargadon,et al.  When Innovations Meet Institutions: Edison and the Design of the Electric Light , 2001 .

[59]  Marko Sarstedt,et al.  Testing measurement invariance of composites using partial least squares , 2016 .

[60]  D. Mohr,et al.  Assessing an organizational culture instrument based on the Competing Values Framework : Exploratory and confirmatory factor analyses , 2007 .

[61]  Gurpreet Dhillon,et al.  Interpreting information security culture: An organizational transformation case study , 2016, Comput. Secur..

[62]  Elizabeth K. Briody,et al.  Ritual as Work Strategy: A Window into Organizational Culture , 2018, Human Organization.

[63]  Straub,et al.  Editor's Comments: An Update and Extension to SEM Guidelines for Administrative and Social Science Research , 2011 .

[64]  Judy A. Siguaw,et al.  Formative versus Reflective Indicators in Organizational Measure Development: A Comparison and Empirical Illustration , 2006 .

[65]  Sal Aurigemma,et al.  Generally Speaking, Context Matters: Making the Case for a Change from Universal to Particular ISP Research , 2019, J. Assoc. Inf. Syst..

[66]  Kevin P. Scheibe,et al.  The Effect of Socializing via Computer-mediated Communication on the Relationship between Organizational Culture and Organizational Creativity , 2017, Commun. Assoc. Inf. Syst..

[67]  Hamid Reza Peikari,et al.  Preventing identity theft , 2019, Inf. Technol. People.

[68]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[69]  Qing Hu,et al.  The role of external and internal influences on information systems security - a neo-institutional perspective , 2007, J. Strateg. Inf. Syst..

[70]  Adrianna Kezar,et al.  Senior Leadership Teams in Higher Education: What We Know and What We Need to Know , 2020 .

[71]  Mikko T. Siponen,et al.  Guidelines for improving the contextual relevance of field surveys: the case of information security policy violations , 2014, Eur. J. Inf. Syst..

[72]  Paul Benjamin Lowry,et al.  Cognitive‐affective drivers of employees' daily compliance with information security policies: A multilevel, longitudinal study , 2019, Inf. Syst. J..

[73]  Rajeev Sharma,et al.  Information technology and the search for organizational agility: A systematic review with future research possibilities , 2019, J. Strateg. Inf. Syst..

[74]  Sophia V. Marinova,et al.  Constructive Organizational Values Climate and Organizational Citizenship Behaviors: A Configurational View , 2019 .

[75]  Hwee-Joo Kam,et al.  A Cross Industry Study of Institutional Pressures on Organizational Effort to Raise Information Security Awareness , 2019, Information Systems Frontiers.

[76]  John Rohrbaugh,et al.  A Spatial Model of Effectiveness Criteria: Towards a Competing Values Approach to Organizational Analysis , 1983 .

[77]  John C. Smart,et al.  Organizational Culture and Effectiveness in Higher Education: A Test of the “Culture Type” and “Strong Culture” Hypotheses , 1996 .

[78]  Elizabeth F. Cabrera,et al.  An Expert HR System for Aligning Organizational Culture and Strategy , 1999 .