Skip to main content
SpringerLink
Log in

The impacts of organizational culture on information security culture: a case study

  • Published:
Information Technology and Management Aims and scope Submit manuscript

Abstract

Information security cannot rely solely on technology. More attention must be drawn to the users’ behavioral perspectives regarding information security. In this study, we propose that a culture encouraging employees to comply with information policies related to collecting, preserving, disseminating and managing information will improve information security. Information security culture is believed to be influenced by an organization’s corporate culture (or organizational culture). We examine how this occurs through an in-depth case study of a large organization. We present a relationship map for organizational culture and information security practices. Six propositions are drawn from the findings of our interviews and discussions. Managerial insights, such as how to measure an organization’s information security culture and subsequently determine what perspective(s) is important for the organization to improve, are also discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

References

  1. Akkermans H, van Helden K (2002) Vicious and virtuous cycles in ERP implementation: a case study of interrelations between critical success factors. Eur J Inform Syst 11(1):35–46

    Article  Google Scholar 

  2. Carr NG (2003) It doesn’t matter. Harv Bus Rev 41(9):5–12

    Google Scholar 

  3. Chang S, Lin C (2007) Exploring organizational culture for information security management. Ind Manag Data Syst 107(3):438–458

    Article  Google Scholar 

  4. Crossler R, Johnston A, Lowry P, Hu Q, Warkentin M, Baskerville R (2013) Future directions for behavioral information security research. Comput Secur 32(1):90–101

    Article  Google Scholar 

  5. Deal T, Kennedy A (1982) Corporate cultures: the rites and rituals of organizational life. Addison-Wesley, Boston

    Google Scholar 

  6. Eisenhardt K (1989) Building theories from case study research. Acad Manag Rev 14:532–550

    Google Scholar 

  7. Hedström K, Kolkowska E, Karlsson F, Allen JP (2011) Value conflicts for information security management. J Strateg Inf Syst 20:373–384

    Article  Google Scholar 

  8. Helokunnas T, Kuusisto R (2003) Information security culture in a value net. In: IEEE Engineering management conference, 2003. IEMC'03. Managing technologically driven organizations: the human side of innovation and change, pp 190–194

  9. Herath T, Rao H (2009) Encouraging information security behaviors in organizations: role of penalties, pressures and perceived effectiveness. Decis Support Syst 47(2):154–165

    Article  Google Scholar 

  10. Hofstede G (1998) Identifying organizational subcultures: an empirical approach. J Manage Stud 35(1):1–12

    Article  Google Scholar 

  11. Hofstede G, Neuijen B, Ohayv D, Sanders G (1990) Measuring organizational cultures: a qualitative & quantitative study across twenty cases. Adm Sci Q 35(2):286–316

    Article  Google Scholar 

  12. Ifinedo P (2012) Understanding information systems security policy compliance: an integration of the theory of planned behavior and the protection motivation theory. Comput Secur 31(1):83–95

    Article  Google Scholar 

  13. Kanungo S, Sadavarti S, Srinivas Y (2001) Relating IT strategies & organizational culture: an empirical study of public sector units in India. J Strateg Inf Syst 10(1):29–57

    Article  Google Scholar 

  14. Kokolakis S, Karyda M, Kiountouzis E (2005) The insider threat to information systems and the effectiveness of ISO17799. Comput Secur 24(6):472–484

    Article  Google Scholar 

  15. Kraemer S, Carayon P, Clem J (2009) Human and organizational factors in computer and information security: pathways to vulnerabilities. Comput Secur 28(3):509–520

    Article  Google Scholar 

  16. Lacey D (2010) Understanding and transforming organizational security culture. Inf Manag Comput Secur 18(1):4–13

    Google Scholar 

  17. Leidner D, Kayworth T (2006) A review of culture in information systems research: toward a theory of information technology culture conflict. MIS Q 30(2):357–399

    Google Scholar 

  18. Mcllwraith A (2006). Information security and employee behaviour: how to reduce risk through employee education, training and awareness. Gower Publishing Company, Burlington

    Google Scholar 

  19. Schlienger T, Teufel S (2003) Information security culture - from analysis to change. S Afr Comput J 31:46–52

    Google Scholar 

  20. Thomson K, von Solms R, Louw L (2006) Cultivating an organizational information security culture. Comput Fraud Secur 2006(10):7–11

    Article  Google Scholar 

  21. Veiga A, Martins N, Eloff J (2007) Information security culture-validation of an assessment instrument. S Afr Bus Rev 11(1):147–166

    Google Scholar 

  22. Vroom C, Von Solms R (2004) Towards information security behavioral compliance. Comput Secur 23(3):191–198

    Article  Google Scholar 

  23. Werlinger R, Hawkey K, Beznosov K (2009) An integrated view of human, organizational, and technological challenges of IT security management. Inf Manag Comput Secur 17(1):4–19

    Google Scholar 

  24. Yin RK (2003), Applications of case study research, 2nd edn. Sage, Thousand Oaks

    Google Scholar 

Download references

Acknowledgments

This study is part of the projects ‘Research on China Industrial Security Index’ (No. B09C1100020) and “Industrial Security Engineering Research” (No. 239010522) funded by the Ministry of Education, China. We appreciate the supportive comments from the reviewers.

Author information

Authors and Affiliations

  1. International Center for Informatics Research, Beijing Jiaotong University, Beijing, China

    Mincong Tang

  2. China Center for Industrial Security Research, Beijing Jiaotong University, Beijing, China

    Meng’gang Li

  3. State Administration of Radio, TV and Films, Beijing, China

    Tao Zhang

Authors
  1. Mincong Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Meng’gang Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tao Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mincong Tang.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Tang, M., Li, M. & Zhang, T. The impacts of organizational culture on information security culture: a case study. Inf Technol Manag 17, 179–186 (2016). https://doi.org/10.1007/s10799-015-0252-2

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10799-015-0252-2

Keywords

Search

Navigation