The Cultural Foundation of Information Security Behavior: Developing a Cultural Fit Framework for Information Security Behavior Control

The Cultural Foundation of Information Security Behavior: Developing a Cultural Fit Framework for Information Security Behavior Control

Canchu Lin, Anand S. Kunnathur, Long Li
Copyright: © 2020 |Pages: 21
DOI: 10.4018/JDM.2020040102
(Individual Articles)
No Current Special Offers


Past behavior research overwhelmingly focused on information security policy compliance and under explored the role of organizational context in shaping information security behaviors. To address this research gap, this study integrated two threads of literature: organizational culture, and information security behavior control, and proposed a framework that integrates mid-range theories used in empirical research, connects them to organizational culture, and predicts its role in information security behavior control. Consistent with the cultural-fit perspective, this framework shows that information security policy compliance fits hierarchical culture and the approach of promoting positive, proactive, and emerging information security behaviors fits participative culture. Contributions and practical implications of this framework, together with future research directions, are discussed.
Article Preview


Given the importance of information security to organizations, security-oriented technology and database management techniques (for a few examples, see Patnaik & Panda, 2003; Reid & Dhillon, 2003; Thompson, 2005; Wang, Zhao, & Chen, 2012; Wei, Lin, & Loho-Noya, 2013; Wilson & Rosen, 2003) have been developed to manage information. However, organizational information assets are ultimately handled by employees. It is well documented that a lot of incidents and losses related to information security are due to ignorance, errors, and even deliberate computer abuse behaviors of employees in organizations (Lee & Lee, 2002; Lee, Lee, & Yoo, 2004). This shows that organizational information security is not “only an opinion of officials responsible for information security” (Baskerville & Portougal, 2003, p. 4). To address this issue of security threat stemming from internal employees, information systems (IS) researchers, borrowing behavior theories from social sciences, have examined a variety of factors that contribute to individual employees’ security behaviors. Understanding these behaviors and their precursors is equally important. However, significant issues concerning past and current research in these two sub-areas have emerged. Researchers (e.g., Posey et al., 2013) have red-flagged the tendency in past research to focus on just a single behavior or subset of behaviors such as information security policy compliance (ISPC). Similarly, it raised our eyebrows that organizational stimuli that contextualize the cognitive processes leading to information security behaviors (ISBs) were under explored in past research (Hu, Dinev, Hart, & Cooke, 2012). Ideally, both issues should be addressed in empirical research. To do this calls for use of a framework that can integrate both efforts. In this study, we propose such a framework that uses organizational culture, a major concept of organizational context, to envelop cognitive and behavior theories that have been utilized in empirical research on ISBs and simultaneously to examine different sets of ISBs.

Although organizational culture has been examined in previous research, it was, however, either investigated for its impact on just one behavior such as ISPC (see, e.g., Hu et al., 2012), or proposed to be an information security culture helping organizations to manage information security (see, e.g., Da Veiga & Eloff, 2010; Ruighaver, Maynard, & Chang, 2007; Van Niekerk & Von Solms, 2010). The latter approach appeared to be too functional to be enough analytic. Further, it did not connect current cognitive and behavior theories to address how organizational culture shapes ISB control (ISBC). To make further improvement in this direction, this study proposes a framework that conceptualizes organizational culture as a foundation supporting organizations’ approaches to ISBC. The proposed framework rests on the idea of “cultural-fit” between an organizational practice and the existing culture of an organization (Ansari, Fiss, & Zajac, 2010; Canato, Ravasi, & Phillips, 2013). Consistent with the cultural-fit perspective, we argue that an organization’s approach to ISBC should be culturally fit. By connecting current theories used to highlight cognitive processes leading to behaviors in empirical ISBC studies to organizational culture, we show how that cultural-fit can be accomplished.

Complete Article List

Search this Journal:
Volume 35: 1 Issue (2024)
Volume 34: 3 Issues (2023)
Volume 33: 5 Issues (2022): 4 Released, 1 Forthcoming
Volume 32: 4 Issues (2021)
Volume 31: 4 Issues (2020)
Volume 30: 4 Issues (2019)
Volume 29: 4 Issues (2018)
Volume 28: 4 Issues (2017)
Volume 27: 4 Issues (2016)
Volume 26: 4 Issues (2015)
Volume 25: 4 Issues (2014)
Volume 24: 4 Issues (2013)
Volume 23: 4 Issues (2012)
Volume 22: 4 Issues (2011)
Volume 21: 4 Issues (2010)
Volume 20: 4 Issues (2009)
Volume 19: 4 Issues (2008)
Volume 18: 4 Issues (2007)
Volume 17: 4 Issues (2006)
Volume 16: 4 Issues (2005)
Volume 15: 4 Issues (2004)
Volume 14: 4 Issues (2003)
Volume 13: 4 Issues (2002)
Volume 12: 4 Issues (2001)
Volume 11: 4 Issues (2000)
Volume 10: 4 Issues (1999)
Volume 9: 4 Issues (1998)
Volume 8: 4 Issues (1997)
Volume 7: 4 Issues (1996)
Volume 6: 4 Issues (1995)
Volume 5: 4 Issues (1994)
Volume 4: 4 Issues (1993)
Volume 3: 4 Issues (1992)
Volume 2: 4 Issues (1991)
Volume 1: 2 Issues (1990)
View Complete Journal Contents Listing