One size does not fit all: Different cultures require different information systems security interventions

Proceedings - Pacific Asia Conference on Information Systems, PACIS 2013

Volumn , Issue , 2013, Pages

  Karjalainen, Mari ^a   Siponen, Mikko ^b   Puhakainen, Petri ^c   Sarker, Suprateek ^d  

^a UNIVERSITY OF OULU   (Finland)

^b UNIVERSITY OF JYVÄSKYLÄ   (Finland)

^c Finnish Tax Administration   (Finland)

^d WASHINGTON STATE UNIVERSITY   (United States)

Author keywords

Cultures; IS security behavior; IS security training

Indexed keywords

INFORMATION SYSTEMS; MOBILE SECURITY; PERSONNEL TRAINING;

CULTURAL SETTINGS; CULTURES; INFORMATION SYSTEMS SECURITY; IS SECURITY BEHAVIOR; NON-COMPLIANCE; SECURITY RESEARCH; SECURITY TRAINING; SWITZERLAND;

SECURITY OF DATA;

EID: 84928501185     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (55)

1. Albrechtsen, E. (2007). A qualitative study of user's view on information security. Computers & Security, 26 (4), 276-289.
2. Albrechtsen, E. and Hovden, J. (2010). Improving information security awareness and behaviour through dialogue, participation and collective reflection. An intervention study. Computers & Security, 29 (4), 432-445.
3. Bandura, A. (1977). Social Learning Theory. General Learning Press, New York.
4. Beautement, A., Sasse, M.A. and Wonham, M. (2008). The compliance budget: Managing security behaviour in organisations. New Security Paradigm Workshop. In Proceedings of the 2008 Workshop on New Security Paradigms, p. 47-58, ACM, New York USA.
5. Bulgurcy, B., Cavusoglu, H. and Benbasat, I. (2010). Information security policy compliance: An empirical study of rationality-based beliefs and information security awareness. MIS Quarterly, 34 (3), 523-548.
6. Burchell, S., Clubb, C., Hopwoo, A.G., Hughes, J. and Nahapiet, J. (1980). The roles of accounting in organizations and society. Accounting, Organizations, and Society, 5 (1), 5-27.
7. Chan, M., Woon, I. and Kankanhalli, A. (2005). Perceptions of information security in the workplace: Linking information security climate to compliant behavior. Journal of Information Privacy & Security, 1 (3), 18-41.
8. D'arcy, J. and Hovav, A. (2007). Deterring internal information systems misuse. Communications of the ACM, 50 (10), 113-117.
9. D'arcy, J., Hovav, A. and Galletta, D.F. (2008). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20 (1), 79-98.
10. Delong, D.W. and Fahey, L. (2000). Diagnosing cultural barriers to knowledge management. Academy of Management Executive, 14 (4), 113-127.
11. Dinev, T., Goo, J., Hu, Q. and Nam, K. (2009). User behaviour towards protective information technologies: The role of national cultural differences. Information Systems Journal, 19 (4), 391-412.
12. Greitzer, F.I., Kucher, O.A. and Huston, K. (2007). Cognitive science implications for enhancing training effectiveness in a serious gaming context. Journal of Educational Resources in Computing, 7 (3), 1-16.
13. Herath, T. and Rao, H.R. (2009a). Protection motivation and deterrence: A framework for security policy compliance in organizations. European Journal of Information Systems, 18 (2), 106-125.
14. Herath, T. and Rao, H.R. (2009b). Encouraging information security behaviors in organizations: Role of penalties, pressures, and perceived effectiveness. Decision Support Systems, 47 (2), 154-165.
15. Holmström Olsson, H., Conchúir, E., Ågerfalk, P. and Fitzgerald, B. (2008). Two-stage offshoring: An investigation of the Irish bridge. MIS Quarterly, 32 (2), 257-279.
16. Hofstede, G. (2001). Culture's Consequences: Comparing Values, Behaviors, Institutions, and Organizations Across Nations. Thousand Oaks, CA.
17. Hofstede, G. (1998). Identifying organizational subcultures: An empirical approach. Journal of Management Studies, 35 (1), 1-12.
18. Hofstede, G. (1993). Cultural constraints in management theories. Academy of Management Executive, 7 (1), 81-94.
19. Hofstede, G. (1991). Cultures and Organizations: Software of the Mind. McGraw-Hill, London.
20. Hovav, A. and D'arcy, J. (2012). Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea. Information & Management, 49 (2), 99-110.
21. Hung, D. (2001) Theories of learning and computer-mediated instructional technologies. Educational Media International, 38 (4), 281-287.
22. Johnston, A.C. and Warkentin, M. (2010). Fear appeals and information security behaviors: An empirical study. MIS Quarterly, 34 (3), 549-566.
23. Karjalainen, M. and Siponen, M. (2011). Toward a new meta-theory for designing information systems (IS) security training approaches. Journal of the Association for Information Systems, 12 (8), 518-555.
24. Kroeber, A.L. Kluckhohn, C. and Untereiner, W. (1952). Culture: A Critical Review of Concepts and Definitions. Wintage Books, New York.
25. Lee, A.S. and Baskerville, R.L. (2003). Generalizing generalizability in information systems research. Information Systems Research, 14 (3), 221-243.
26. Lee, S.M., Lee, S.G. and Yoo, S. (2004). An integrative model of computer abuse based on social control and general deterrence theories. Information Management, 41 (6), 707-718.
27. Leidner, D. and Keyworth, T. (2006). Review: A review of culture in information systems research: Toward a theory of information technology culture conflict. MIS Quarterly, 30 (2), 357-399.
28. Li, H., Zhang, J. and Sarathy, R. (2010). Understanding compliance with Internet use policy from the perspective of rational choice theory. Decision Support Systems, 48 (4), 635-645.
29. Mezirow, J. (1991). Transformative Dimensions of Adult Learning. Jossey-Bass, San Francisco.
30. Miller, J. (2007). The Holistic Curriculum. 2nd edition. OISE Press, Toronto.
31. Miller, J.P. and Seller, W. (1985). Curriculum. Perspectives and Practice. Longman Inc, White Plains, NY.
32. Myers, M. and Newman, M. (2007). The qualitative interview in IS research: Examining the craft. Information and Organization, 17 (1), 2-26.
33. Myers, M.D. and Tan, F.B. (2002). Beyond models of national culture in information systems research. Journal of Global Information Management, 10 (1), 24-32.
34. Myyry, L., Siponen, M., Pahnila, S., Vartiainen, T. and Vance, A. (2009). What levels of moral reasoning and values explain adherence to information security rules? An empirical study. European Journal of Information Systems, 18 (2), 126-139.
35. Pahnila, S., Siponen, M. and Mahmood, A. (2007). Employees' behavior towards IS security policy compliance. In Proceedings of the 40th Annual Hawaii International Conference on System Sciences (HICSS'07), 156b - 156b.
36. Palincsar, A.S. (1998). Social constructivist perspectives on teaching and learning. Annual Review of Psychology, 49, 345-375.
37. Pavlou, P.A. and Fygenson, M. (2005). Understanding and predicting electronic commerce adoption: An extension of the theory of planned behavior. MIS Quarterly, 30 (1), 115-143.
38. Puhakainen, P. and Siponen, M. (2010). Improving employee's compliance through IS security training: An action research study. MIS Quarterly, 34 (4), 1-23.
39. Sarker, S. and Sarker, S. (2009). Exploring agility in distributed information systems development (ISD) teams: An interpretive study in an offshoring context. Information Systems Research, 20 (3), 440-461.
40. Sarker, S., Sarker, S. and Sidorova, A. (2006). Actor-networks and business process change failure: An interpretive case study. Journal of Management Information Systems, 23 (1), 51-86.
41. Sasse, A., Brostoff, S. and Weirich, D. (2001). Transforming the 'weakest link' human/computer interaction approach to usable and effective security. BT Technology Journal, 19 (3), 122-131.
42. Seale, C. (1999), Quality in qualitative research. Qualitative Inquiry, 5 (4), 465-478.
43. Seddon, P. and Scheepers, R. (2012). Towards the improved treatment of generalization of knowledge claims in IS research: Drawing general conclusions from samples. European Journal of Information Systems, 21 (1), 6-21.
44. Schein, E.H. (1985). How culture forms, develops and changes. In Gaining Control of the Corporate Culture. (Kilmann, R.H., Saxton, M.J., Serpa, R. and Associates Eds.), pp. 17-43, Jossey-Bass, San Francisco.
45. Schulze, U. and Avital, A. (2011). Designing interviews to generate rich data for information systems research. Information & Organization, 21 (1), 1-16.
46. Siponen, M.T., Pahnila, S. and Mahmood, A. (2007). Employees' adherence to information security policies: An empirical study. In Proceedings of the IFIP TC-11 22nd International Information Security Conference (SEC 2007): New Approaches for Security, Privacy and Trust in Complex Environments (Venter, H., Eloff, M., Labuschagne, L., Eloff, J. and Von Solms, R. Eds.), p. 133- 144, Sandton, South Africa.
47. Siponen, M., Pahnila, S. and Mahmood, A. (2006). Factors influencing protection motivation and IS security policy compliance. Innovations in Information Technology, 1-5.
48. Siponen, M. and Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34 (1), 1-15.
49. Skinner, B.F. (1969). Contingencies of Reinforcement: A Theoretical Analysis. Prentice Hall, USA.
50. Stanton, J.M., Stam, K.R., Mastrangelo, P. and Jolton, J. (2005). Analysis of end user security behaviours. Computers and Security, 24 (2), 124-133.
51. Stinger, E.T. (1999). Action Research. Second edition. Sage Publications, Thousand Oaks CA.
52. Straub, D., Loch, K., Evaristo, R., Karahanna. E., and Srite, M. (2002). Toward a theory-based measurement of culture. Journal of Global Information Management, 10 (1), 13-23.
53. Walsham, G. (2006). Doing interpretive research. European Journal of Information Systems, 15 (3), 320-330.
54. Walsham, G. (2002). Cross-cultural software production and use: A structurational analysis. MIS Quarterly, 26 (4), 359-380.
55. Weick, K.E. (1989). Theory construction as disciplined imagination. Academy of Management Review, 14 (4), 516-531.