Information Security Cultures of Four Professions: A Comparative Study

Differences in cultures across professions have been reported in the professional culture literature. An understanding of such differences is important to understand the effects of culture. We extend this argument to the area of information security. We argue that it is necessary to examine the information security cultures of various professions to identify differences that may exist, so that they may be taken into account in formulating initiatives to enhance information security. In this article, we provide a comparative description of the security cultures of four professions - information systems, accounting, marketing and human resources - based on semi- structured interviews of respondents from each of the professions. Our results confirm the existence of differences in security cultures across professions. In particular, they indicate that there are differences in beliefs about what constitutes information security, who is responsible for it, and the likelihood of their compliance with security under performance pressure.

[1]  E. Hall The Silent Language , 1959 .

[2]  Kenneth L. Kraemer,et al.  Managing information systems , 1989 .

[3]  Jeffrey M. Stanton,et al.  Analysis of end user security behaviors , 2005, Comput. Secur..

[4]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[5]  S. Kleinman,et al.  Managing emotions in medical school: Students' contacts with the living and the dead. , 1989 .

[6]  S. Barley,et al.  Occupational Communities: Culture and Control in Organizations , 1982 .

[7]  John J. Mauriel,et al.  A Framework for Linking Culture and Improvement Initiatives in Organizations , 2000 .

[8]  Mark Srite,et al.  Levels of Culture and Individual Behavior: An Investigative Perspective , 2005, J. Glob. Inf. Manag..

[9]  Srinivasan V. Rao,et al.  An effort towards identifying occupational culture among information systems professionals , 2006, SIGMIS CPR '06.

[10]  Gurpreet Dhillon,et al.  Interpreting the management of information systems security , 1995 .

[11]  Harrison M. Trice,et al.  Occupational subcultures in the workplace , 1993 .

[12]  Matthew B. Miles,et al.  Qualitative Data Analysis: An Expanded Sourcebook , 1994 .

[13]  A. Michael Huberman,et al.  An expanded sourcebook qualitative data analysis , 1994 .

[14]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[15]  Joanne D. Martin Cultures in Organizations: Three Perspectives , 1992 .

[16]  Dennis Adams,et al.  Managing an Information System , 1990 .

[17]  G. Kunda Engineering Culture: Control and Commitment in a High-Tech Corporation , 1993 .

[18]  Indira R. Guzman,et al.  A qualitative study of the occupational subculture of information systems employees in organizations , 2004, CPR.

[19]  G. Dhillon Managing information system security , 1997 .

[20]  Omar Zakaria and Abdullah Gani,et al.  A Conceptual Checklist of Information Security Culture , 2003 .

[21]  A. B. Ruighaver,et al.  Understanding Organizational Security Culture , 2002 .