Article Preview
TopIntroduction
Given the importance of information security to organizations, security-oriented technology and database management techniques (for a few examples, see Patnaik & Panda, 2003; Reid & Dhillon, 2003; Thompson, 2005; Wang, Zhao, & Chen, 2012; Wei, Lin, & Loho-Noya, 2013; Wilson & Rosen, 2003) have been developed to manage information. However, organizational information assets are ultimately handled by employees. It is well documented that a lot of incidents and losses related to information security are due to ignorance, errors, and even deliberate computer abuse behaviors of employees in organizations (Lee & Lee, 2002; Lee, Lee, & Yoo, 2004). This shows that organizational information security is not “only an opinion of officials responsible for information security” (Baskerville & Portougal, 2003, p. 4). To address this issue of security threat stemming from internal employees, information systems (IS) researchers, borrowing behavior theories from social sciences, have examined a variety of factors that contribute to individual employees’ security behaviors. Understanding these behaviors and their precursors is equally important. However, significant issues concerning past and current research in these two sub-areas have emerged. Researchers (e.g., Posey et al., 2013) have red-flagged the tendency in past research to focus on just a single behavior or subset of behaviors such as information security policy compliance (ISPC). Similarly, it raised our eyebrows that organizational stimuli that contextualize the cognitive processes leading to information security behaviors (ISBs) were under explored in past research (Hu, Dinev, Hart, & Cooke, 2012). Ideally, both issues should be addressed in empirical research. To do this calls for use of a framework that can integrate both efforts. In this study, we propose such a framework that uses organizational culture, a major concept of organizational context, to envelop cognitive and behavior theories that have been utilized in empirical research on ISBs and simultaneously to examine different sets of ISBs.
Although organizational culture has been examined in previous research, it was, however, either investigated for its impact on just one behavior such as ISPC (see, e.g., Hu et al., 2012), or proposed to be an information security culture helping organizations to manage information security (see, e.g., Da Veiga & Eloff, 2010; Ruighaver, Maynard, & Chang, 2007; Van Niekerk & Von Solms, 2010). The latter approach appeared to be too functional to be enough analytic. Further, it did not connect current cognitive and behavior theories to address how organizational culture shapes ISB control (ISBC). To make further improvement in this direction, this study proposes a framework that conceptualizes organizational culture as a foundation supporting organizations’ approaches to ISBC. The proposed framework rests on the idea of “cultural-fit” between an organizational practice and the existing culture of an organization (Ansari, Fiss, & Zajac, 2010; Canato, Ravasi, & Phillips, 2013). Consistent with the cultural-fit perspective, we argue that an organization’s approach to ISBC should be culturally fit. By connecting current theories used to highlight cognitive processes leading to behaviors in empirical ISBC studies to organizational culture, we show how that cultural-fit can be accomplished.