Variations in Information Security Cultures across Professions: A Qualitative Study

The importance of culture in helping explain and understand behavior is generally accepted. Scholars in the area of information security have argued that security culture is a key factor in safeguarding information assets. Scholars in the area of professional culture have argued that differences in cultures across professions must be accounted for, in correctly assessing the influence of culture. Combining these arguments, we suggest that differences in security cultures across professions need to be examined to fully comprehend the influences of security culture. This study utilizes a qualitative approach to further the understanding of information security cultures across four professions: Information Systems, Accounting, Human Resources, and Marketing. The concept of security culture is articulated, and the security cultures of the four professions are characterized to demonstrate that there are significant variations in security culture across these professions, when the professions are examined independent of organizations.

[1]  Kathleen L. Gregory,et al.  Native-view paradigms: Multiple cultures and culture conflicts in organizations. , 1983 .

[2]  Emmanuelle Vaast,et al.  Danger is in the eye of the beholders: Social representations of Information Systems security in healthcare , 2007, J. Strateg. Inf. Syst..

[3]  Alfred G. Meyer,et al.  Culture, a critical review of concepts and definitions , 1953 .

[4]  Line Dubé,et al.  Rigor in Information Systems Positivist Case Research: Current Practices , 2003, MIS Q..

[5]  E. Hall The Silent Language , 1959 .

[6]  E. Schein Organizational Culture and Leadership , 1991 .

[7]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[8]  S. Barley,et al.  Occupational Communities: Culture and Control in Organizations , 1982 .

[9]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[10]  Sean B. Maynard,et al.  Embedding Information Security Culture Emerging Concerns and Challenges , 2010, PACIS.

[11]  Omar Zakaria and Abdullah Gani,et al.  A Conceptual Checklist of Information Security Culture , 2003 .

[12]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[13]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..

[14]  Indira R. Guzman,et al.  The occupational culture of IS/IT personnel within organizations , 2008, DATB.

[15]  G. Dhillon Managing information system security , 1997 .

[16]  Guy Paré,et al.  Understanding the dynamics of information technology implementation: The case of clinical information systems , 1995 .

[17]  Matthew B. Miles,et al.  Qualitative Data Analysis: An Expanded Sourcebook , 1994 .

[18]  Rossouw von Solms,et al.  Towards information security behavioural compliance , 2004, Comput. Secur..

[19]  Dorothy E. Leidner,et al.  Review: A Review of Culture in Information Systems Research: Toward a Theory of Information Technology Culture Conflict , 2006, MIS Q..

[20]  G. Geertz Religion as a cultural system , 1973 .

[21]  Carol D. Hansen Occupational Cultures: Whose Frame Are We Using? , 1995 .

[22]  G. Hofstede,et al.  Culture′s Consequences: International Differences in Work-Related Values , 1980 .

[23]  John J. Mauriel,et al.  A Framework for Linking Culture and Improvement Initiatives in Organizations , 2000 .

[24]  A. B. Ruighaver,et al.  Organisational security culture: Extending the end-user perspective , 2007, Comput. Secur..

[25]  A. Michael Huberman,et al.  An expanded sourcebook qualitative data analysis , 1994 .

[26]  Sebastiaan H. von Solms,et al.  Information Security - The Third Wave? , 2000, Comput. Secur..

[27]  Deborah Bunker,et al.  Circuits of Power: A Study of Mandated Compliance to an Information Systems Security De Jure Standard in a Government Organization , 2010, MIS Q..

[28]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[29]  Joanne D. Martin Cultures in Organizations: Three Perspectives , 1992 .

[30]  Jan H. P. Eloff,et al.  A framework and assessment instrument for information security culture , 2010, Comput. Secur..

[31]  John Van Maanen,et al.  Observations on the Making of Policemen , 2015 .

[32]  Harri Oinas-Kukkonen,et al.  A review of information security issues and respective research contributions , 2007, DATB.

[33]  Srinivasan V. Rao,et al.  Occupational Cultures of Information Systems Personnel and Managerial Personnel: Potential Conflicts , 2011, Commun. Assoc. Inf. Syst..

[34]  M. Lynne Markus,et al.  Rituals in Information System Design , 1984, MIS Q..

[35]  Sydney Gregory,et al.  Culture's consequences: international differences in work-related values , 1982 .

[36]  Bill Chaloner,et al.  The living and the dead , 1997, Nature.

[37]  R. Deshpandé,et al.  Organizational Culture and Marketing: Defining the Research Agenda , 1989 .

[38]  Netta Iivari,et al.  The interaction between organizational subcultures and user-centered design-a case study of an implementation effort , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[39]  Henri Barki,et al.  User Participation in Information Systems Security Risk Management , 2010, MIS Q..

[40]  Jan H. P. Eloff,et al.  Information Security Culture , 2002, SEC.

[41]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[42]  Harrison M. Trice,et al.  Occupational subcultures in the workplace , 1993 .

[43]  Sigal G. Barsade,et al.  Being Different Yet Feeling Similar: The Influence Of Demographic Composition And Organizational Culture On Work Processes And Outcomes , 1998 .

[44]  K. Eisenhardt Building theories from case study research , 1989, STUDI ORGANIZZATIVI.

[45]  G. Gordon,et al.  Predicting Corporate Performance From Organizational Culture , 1992 .

[46]  Martha S. Feldman,et al.  The uniqueness paradox in organizational stories. , 1983 .

[47]  S. Kleinman,et al.  Managing emotions in medical school: Students' contacts with the living and the dead. , 1989 .

[48]  Detmar W. Straub,et al.  Toward a Theory-Based Measurement of Culture , 2002, J. Glob. Inf. Manag..

[49]  A. B. Ruighaver,et al.  Understanding Organizational Security Culture , 2002 .

[50]  K. Cameron,et al.  Diagnosing and changing organizational culture , 1999 .

[51]  S. Parker Content Analysis for the Social Sciences and Humanities , 1970 .

[52]  Kwon Juhee,et al.  The Impact of Security Practices on Regulatory Compliance and Security Performance , 2011, ICIS.

[53]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[54]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[55]  T. Helokunnas,et al.  Information security culture in a value net , 2003, IEMC '03 Proceedings. Managing Technologically Driven Organizations: The Human Side of Innovation and Change.

[56]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[57]  Clifford May Dynamic Corporate Culture Lies at the Heart of Effective Security Strategy , 2003 .

[58]  Nicholas Gaunt,et al.  Practical approaches to creating a security culture , 2000, Int. J. Medical Informatics.

[59]  Stephanie Teufel,et al.  Analyzing information security culture: increased trust by an appropriate information security culture , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[60]  John M. Jermier,et al.  Organizational Subcultures in a Soft Bureaucracy: Resistance Behind the Myth and Facade of an Official Culture , 1991 .

[61]  Mathew Tsamenyi,et al.  Communicative Action and the Accounting/Marketing Interface in Industry , 2000 .

[62]  Gurpreet Dhillon,et al.  Interpreting the management of information systems security , 1995 .

[63]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[64]  Harrison M. Trice,et al.  Occupational subcultures in the workplace , 1993 .

[65]  Mikko T. Siponen,et al.  A conceptual foundation for organizational information security awareness , 2000, Inf. Manag. Comput. Secur..

[66]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[67]  G. Kunda Engineering Culture: Control and Commitment in a High-Tech Corporation , 1993 .

[68]  Indira R. Guzman,et al.  A qualitative study of the occupational subculture of information systems employees in organizations , 2004, CPR.