=Paper=
{{Paper
|id=Vol-2966/paper4
|storemode=property
|title=Reviewing the Interrelation Between Information Security and Culture: Toward an Agenda for Future Research
|pdfUrl=https://ceur-ws.org/Vol-2966/paper4.pdf
|volume=Vol-2966
|authors=Sebastian Hengstler,Natalya Pryazhnykova
|dblpUrl=https://dblp.org/rec/conf/wirtschaftsinformatik/Hengstler21
}}
==Reviewing the Interrelation Between Information Security and Culture: Toward an Agenda for Future Research==
https://ceur-ws.org/Vol-2966/paper4.pdf
Reviewing the Interrelation Between Information
Security and Culture: Toward an Agenda for Future
Research
Sebastian Hengstler1, Natalya Pryazhnykova1
1 Chair of Information Security and Compliance, University of Goettingen, Germany
s.hengstler@stud.uni-goettingen.de, pryazhnykova@gmail.com
Abstract. The main goal of this paper is to provide a review of existing
research on the interrelationships between information security and
culture. The results of this study are based on a structured literature review
of current research on the interrelationships between information security
and culture, published between 2000 and 2020 (September). Our results
show that current research has focused on four core themes: (1) the
influence of culture on information security policy compliance behavior, (2)
information security culture in organizations, (3) the influence of culture on
information security awareness programs and (4) the effect of culture on
information security governance. Our results show, that so far, the
mentioned topics have been investigated from different perspectives.
However, our results offer potential for future research, e.g. in the
connections between information security and individual cultural values or
in the area of information security awareness.
Keywords: Information Security and Culture, Literature Review,
Information Security
1 Introduction
Information security represents a field of increasing scholarly interest from a practical
and theoretical perspective and includes various critical dimensions, which need to be
considered to ensure a high level of information security e.g. in organizations [1].
Important mechanisms to guarantee information security are technical measures, such
as firewalls, to protect networks or various authorization measures for hardware
protection [2].
However, it is a well-known fact that attacks on information security systems in
private or professional usage start at the weakest point which is failure caused by an
individual [3]. This is the reason, why measures to ensure compliant behavior of
employees in various organizations are becoming increasingly crucial [4].
Existing studies analyze a variety of mechanisms that influence the compliance
behavior of employees, such as the social environment of an individual, the use of
informal and formal sanctions to ensure compliance or the use of threat and coping
16th International Conference on Wirtschaftsinformatik,
March 2021, Essen, Germany
Copyright © 2021 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
52
�appraisals [1]. Furthermore, existing research presents, that contextual differences are
an essential factor to consider, when designing information security measures to
achieve compliance behavior [5]. Besides the distinction between different types of
information security breaches, culture is an important contextual component of current
information security research [6].
Over the last two decades, culture has been analyzed from different angles in the
context of information security and there are different approaches in research, which
aim to explain how these two aspects relate. The results of existing literature reviews
in the field of information security and culture show a variety of different outcomes.
Mahfuth et al. (2017) analyzed existing research regarding information security,
organizational culture and the relation of these two fields. [7]. Karlsson and Åström
(2015) provide an overview of the research in the area of information security culture
[6]. Hina and Dominic (2020) identify information security and culture as current
trending topic in information security research [8]. In summary, there are recent
approaches, which analyze the interrelations between information security and culture
from different perspectives. However, we believe that a comprehensive overview that
represents the different perspectives and top themes of information security culture
research is still missing, but can help to provide a more complete view on the relation
of culture and information security [9].
The aim of this paper is to summarize existing research about information security
and culture in order to increase the understanding of the influence of culture and its
relevance to information security. The scope of this paper is to identify the current
research themes in this field, and to provide further directions for future research. In
our analysis, we build on existing cultural concepts to identify interrelations between
culture and information security research. We used the approach of Leidner and
Kayworth (2006) to analyze the interrelations between culture and information security,
in combination with the process for a structured literature analysis of Webster and
Watson (2002) [9, 10].
With our research, we aim to contribute to current literature in providing a
comprehensive view on the current state of the interrelation between information
security and culture research. Our study provides an overview not only about analyzed
cultural levels and artefacts, but also used research approaches (methods and theories).
In addition to that, we identified overlapping and less analyzed aspects in existing
research. We identified both major and minor gaps in the literature and provided
implications for further research.
This study is structured as follows. In section 2, we defined the relevant concepts of
culture we used in our literature analysis. In section 3, the literature analysis process is
explained. We described outcomes of this paper and defined focus themes in
information security and culture research in section 4. An overview about potential
future research is presented in section 5. The paper concludes in section 6.
53
�2 The Concept of Culture
In other research areas such as Social Studies or Psychology, culture is understood as a
summary of ideologies, beliefs, basic assumptions, shared norms and values, that have
an influence on the collective will [11, 12]. Other approaches analyze the construct of
culture from a different perspective and focus on individual cultural dimensions, which
describe the individual components of culture [13]. Schein's (1997) three-level model
of culture shows a model to explain culture within organizations [14]. Due to these
differences and the fact, that the concept of culture is characterized by its many
meanings and possible interpretations, it is rather challenging to define an overall
definition of the concept of culture [15]. The first modern interpretation was made by
Edward Tylor, who described culture as the collection of all skills and habits such as
knowledge, beliefs or laws, which are shaped by society [16]. Hofstede specified the
shaping of behavior by society and defined culture as a collective coding of the mind
by which the members of a group distinguish themselves from the members of other
groups [12]. Because of the fact that culture includes all rules, norms and the code of
conduct of a collective, it has an influence on the behavior of the individuals of a group
and is consequently controlling behavior [17].
In the area of information systems, the extent to which these are related to the topic
of culture was also investigated. Leidner and Kayworth (2006), for example, analyzed
different approaches in the area of information systems and culture in terms of their
underlying theoretical cultural artifacts. They pointed out, that a relation between
information systems and these cultural artefacts can occur on several levels of culture.
Examples of this are a connection in the context of IT culture, the IT adoption process
and cultural dependencies in IT management. In their analysis they distinguish between
the national, organizational, and individual levels of analysis and name several cultural
artefacts, which are used in research to analyze the interrelation between culture and
information systems [9]. The national unit of analysis is described as the analysis of
cultural orientation, based on a samples nationality, where different countries are
chosen as the object of the study [12]. At the organizational level, studies analyze
cultural differences in different organizational units, e.g. in different companies [14].
The analysis of smaller groups or individuals describes the study of individual behavior
or within social groups [18]. As a subdiscipline of information systems research, we
can relate these findings to current topics in information security research [6, 7]. For
example, topics such as security culture, compliance behavior or security management
can also be identified in the security domain, which show similarities to existing
information systems research in other research streams. To make the results of our
analysis comparable to existing research, we adapt Leidner and Kayworth's (2006)
approach and analyze the identified literature, based on used cultural artifacts and their
level of analysis [9].
54
�3 Literature Analysis Process
For the literature analysis we adapt the methodological approach established in the field
of information systems research according to Webster and Watson (2002) [10], which
provides a solution for the systematic identification and analysis of relevant literature.
The following plan was used for the consistent implementation of the methodological
approach in our literature analysis. Firstly, the subject area was defined and our target
group for our research was specified. At this point, our intention was to determine the
current state of the research about the influence of culture on information security.
Therefore, we concentrated on research outcomes, that shed light on the connection
between these two topics. The scope of our literature review is to identify central topics
in the interrelation of these research areas. We address mainly specialized scholars
analyzing the effect of culture on information security or scholars interested in cross-
cultural research in the field of information security.
Secondly, we conceptualized the core elements that will be used for the systematic
categorization of identified literature. In order to classify and analyze the identified
literature with respect to our research purpose, we have transferred the common
characteristics of this research area from existing literature reviews, namely the
methodological approach, cultural level of analysis, underlying theories and considered
cultural artefacts, and used them in the form of a concept matrix for the analysis of our
identified literature [9, 12, 13].Thirdly, we specified characteristics, which we wanted
to analyze, the databases selection and the definition of our search terms.
Since research in the field of information security and culture is published in
conference proceedings as well as in international journals, we used different databases.
The databases EbscoHost, Aisel and AbiInform were used to obtain a broad coverage
of both international journals and conference proceedings in our research area. Forward
and backward search was conducted with the database Web-of-Science. Generally,
publications in relevant journals and conferences of information security research were
considered in our analysis. Publications from other disciplines in our research area were
also included if they were of high relevance (e.g. high citation rate). We followed the
orientation of Karlsson and Åström (2015) and considered literature published since
2000 [6]. In order to identify potentially relevant literature, we analyzed the keywords,
the abstract and the title of the respective studies. The use of the search queries in the
different databases resulted in a list of 461 publications, including duplicates. After
deleting duplicates and articles with incorrect content that were not in the focus of our
analysis, we received a list of 103 articles to be analyzed. 53 of these articles were
identified in the initial search, 37 in the forward search and 13 in the backward search.
In total, 58 articles where published in information systems or computer science
journals and 45 articles on related conferences. A list of our search terms and constructs
used to classify the results is shown in Table 1.
55
� Table 1. Search terms and analyzed concepts.
Search Terms Analyzed Concepts
Information security culture Theories
Information security AND culture Cultural Dimensions
Information security AND organizational culture Used Methodical Approach
Information security AND national culture Cultural Level of Analysis (National,
Information security AND information security culture Organizational, Individual/Subunit)
In a fourth step, we analyzed the identified literature according to the identified
characteristics. We considered articles published between 2000 and 2020
(September). An Overview about the considered articles per journal/conference is
shown in table 2.
Table 2. Identified articles by journal and conference
Journal Title Amount
Organizational behavior Computers & Security 1
Information Systems Management 2
Information Management & Computer Security 9
Computers in Human Behavior 2
Information & Management 2
Computers & Security 15
Information and Computer Security 6
Information Systems Journal 2
Communications of the Association for Information Systems 2
Southern African Business Review 1
Computer Fraud Security 2
Journal of Theoretical and Applied Information Technology 1
South African Computer Journal 1
Journal of Enterprise Information Management 1
Electronic Markets 1
Journal of Global Information Management 1
Decision Sciences 1
MIS Quarterly 2
Journal of Computer Information Systems 1
Journal of Database Management 1
Information Technology and Management 1
Journal of Global Information Technology Management 1
56
� Conference Title Amount
International Conference on Research and Innovation in Information Systems 1
(ICRIIS)
Pacific Asia Conference on Information Systems (PACIS) 5
American Conference on Information Systems (AMCIS) 6
European Conference on Information Systems (ECIS) 4
International Conference on Information Systems (ICIS) 1
Human Aspects of Information Security & Assurance (HAISA) 2
International Social Security Association (ISSA) 3
International Conference on Information Security and Cryptology (ICISC) 3
IEEE World Congress On Computer Applications and Information Systems (WCCAIS) 1
Australian Information Security Management Conference (AISM) 6
International Carnahan Conference on Security Technology (ICCST) 1
Conference on Information Security for South Africa (ISSA) 1
Hawaii International Conference on System Sciences (HICSS) 1
Wireless Internet Service Providers Conference (WISP) 4
International Information Management Association Conference (IIMA) 1
Mediterranean Conference on Information Systems (MCIS) 1
International Conference for Internet Technology and Secured Transactions (ICITS) 1
Workshop on Governance of Technology, Information and Policies 1
European Conference on Information Warfare and Security (ECIW) 1
International Conference on Availability, Reliability and Security 1
Finally, the identified topics of existing literature were discussed, and current trends
and further research potential were presented. We describe the last two steps in the
following chapters.
4 Results
A total of 103 articles were analyzed in this literature review. Among them, 28 articles
examined culture at the national level in the context of information security and 63
examined culture at the organizational level. There were 8 studies that examined culture
at the individual/subunit level in the context of information security. Over 71% of the
studies on the national cultural level used Hofstede's culture dimensions [12]. The
organizational level studies often do not use explicit cultural artifacts (68%). The most
represented cultural artifact at the organizational level is Schein's (1992) model of
organizational culture (12%) [14]. No explicit cultural artifacts were studied on the
individual/subunit cultural level. Additionally, we categorized the articles by their
57
�scientific approach. Overall, there are two trends which were identified for the
methodological approaches. 23% of the articles rely on conceptual frameworks. 32%
of the identified articles used a questionnaire-based, quantitative methodological
approach. Other methodological approaches are less represented. In terms of used
theories, many articles have a more theory generating nature and do not use an existing
theory (66%) for their studies. The types of theories do not indicate a focus.
Furthermore, we were able to identify overall focus themes within the analyzed
articles dealing with the interrelations between information security and culture: (1) the
influence of culture on information security policy compliance behavior, (2)
information security culture in organizations, (3) the influence of culture on information
security awareness programs and (4) the effect of culture on information security
governance. We were not able to assign three identified articles to the mentioned
articles and did not consider them in more detail. The following chapters describe the
identified focus topics in more detail. A list of the identified and characterized
literature, based on our observed concepts of theories, methods, cultural artifacts, and
cultural level of analysis is listed in the appendix (Tables 4-7).
4.1 The Influence of Culture on Information Security Policy Compliance
Behavior
A total of 30 papers dealt with the influence of culture on information security policy
compliance behavior. 18 of these studies focused on the national cultural level, 11 on
the organizational cultural level, and one on the individual/subunit cultural level. The
majority of the articles used a questionnaire-based, quantitative approach (18), whereas
7 articles chose a qualitative approach. Meta-analyses (1), commentaries (2) typologies
(1), case studies (2), and mixed method approaches (1) are less represented. Most
articles do not explicit use a theory and are more theory generating in nature (11). The
most frequently used theories are the theory of planned behavior (3) and the deterrence
theory (4). Other theories are represented sporadically. At the national cultural level,
13 of 18 articles used Hofstede's cultural dimensions as cultural artifacts [12]. At the
organizational level, hardly any culture artifacts have been used.
The topic “influence of culture on information security policy compliance behavior
includes articles that primarily focus on the analysis of cultural differences regarding
information security compliance behavior of employees. There is only one study, which
considers individual cultural values when analyzing information security compliance
behavior with respect to cultural differences. On a national cultural level, the research
focus lies in the analysis of the effectiveness of different theoretical mechanisms on
compliance behavior along national cultures. In this area, different theories such as
deterrence theory or the theory of planned behavior are analyzed [19–21]. The focus is
mainly on the analysis of 7 different cultures and does not show a big variety [22]. On
the organizational culture level, research in this topic area focuses on organizational
concepts that positively influence information security behavior and thereby contribute
to a positive security culture in organizations. For example, knowledge sharing [23],
discipline and agility [24], and morale within an organization are examined in terms of
their positive impact on behavior [25].
58
�4.2 Information Security Culture in Organizations
A total amount of 39 papers have dealt with information security culture in
organizations. 32 studies focused on the organizational cultural level, 6 on the
individual/subunit cultural level, and one study on a national cultural level.
Predominantly, conceptual frameworks were developed within the articles (14). There
is also a focus on conducting literature reviews (5), qualitative studies and case studies
(5), and questionnaire-based quantitative studies (7). Most articles do not use explicit
theory and are more theory generating in nature (34). At the organizational cultural
level, Schein's (1992) organizational behavior theory was frequently used (7) [14].
Most articles do not mention explicitly cultural artifacts (26).
The theme “information security culture in organizations” includes articles, focusing
on concepts and influencing factors of an information security culture within
organizations, namely conceptualization of cultural models, their validation and the
analysis of factors influencing a security culture and their effects. At the individual or
subunit level, the crucial point lies in identifying different cultural subgroups within an
organization, e.g. through different professional backgrounds [26, 27]. Another aspect
of an information security culture is the analysis of influencing factors on such cultural
subgroups [28, 29]. On an organizational cultural level, some articles focus on the
analysis of illusory concepts of an organizational culture and their application in the
information security culture domain [30–32]. Another core issue is the analysis of
factors that influence an information security culture [33–35]. Furthermore, similarities
between the traditional view of organizational cultures and an information security
culture are in focus of current research as well [36, 37]. Other articles concentrate on
the managerial impact on information security culture, such as the role of CISO's [38]
or managerial guidelines to lead in a security culture [31].
4.3 The Influence of Culture on Information Security Awareness
Programs
The influence of culture on information security awareness (ISA) programs was
covered by a total of 8 articles. There were two studies with a focus on organizational
cultural level, one study on the individual/subunit cultural level and five studies on
national cultural level. Predominantly, mostly questionnaire-based, quantitative studies
were carried out (5). Two articles conducted an experiment for their study and one
article used a qualitative approach. A total of four studies chose Hofstede's culture
dimensions as culture artifacts [12]. Other cultural artifacts, such as the organizational
behavior theory [14] and aspects from the competing value framework were used as
well [39]. In the context of this topic, different ways of approaching information
security and culture were identified. On the one hand, correlations between information
security awareness measures and the security culture of an organization are analyzed.
The authors show that the security culture can have an influence on the individual
awareness behavior of employees [40]. On the other hand, there are studies which
investigate the influence of different organizational factors on ISA from different
cultural perspectives. This includes the analysis of the impact of factors, such as
59
�security culture or competing values on the awareness of employees [41]. At the
national cultural level, studies have been mainly conducted with the purpose to analyze
the effectiveness of theoretical mechanisms, such as social norms and attitude values
[41] or fear appeals [42] on information security awareness in different countries.
4.4 The Effect of Culture on Information Security Governance
The effect of culture on information security governance was analyzed by a total of 21
articles. There were 17 studies with a focus on organizational cultural level and 4
studies on national cultural level. Most of the analyzed studies focused on qualitative
research approaches (5) and case studies (6). Most articles did not explicit outline
mentioned theoretical approach or specific used cultural artefacts.
National cultural level studies in this theme focus on analyzing national cultural values
on the effectiveness of security measures [43] and what national-level factors need to
be considered while implementing them [44]. Other studies at the national level analyze
the influence of national culture on corporate structure [45] and information security
risk management [46]. At the organizational level of analysis, several focus themes can
be identified.
On the one hand, current research is concerned with the relationship between culture
and information security management. This includes the analysis of what effect
management behavior can have on information security and its culture in the
organization [47, 48] and the influence of culture on information security management
itself [49]. Another element is the description of governance structures and their
constituents for information security, considering cultural factors. This consists of the
influence of culture on organizational structures, the implementation of information
security measures [50] and the differences within these structures in different
organizations [51]. Closely related are articles dealing with the design of information
security policies, predominantly with the consideration of cultural differences [8, 52].
Another subtopic regarding the effect of culture on information security governance are
Assessments. Articles describe not only the design and validation of assessment tools
for information security culture, but also the implementation of monitoring methods for
information security in a cross-cultural context [53, 54].
5 Directions for Future Research
Our study examined the current focus of analyses regarding the interrelation of culture
and information security. In our literature review, we identified 103 relevant articles
and were able to identify four focus themes concerning the interrelation between culture
and information security. According to the outcomes of this study, the potential for
further research can be identified.
Within the topic “the influence of culture on information security policy compliance
behavior” there is a strong focus regarding the national cultural level of analysis and
the testing of the effectiveness of various theories in respect of different national
cultures. The focus lies mainly in theories established in security research, such as
60
�deterrence theory or the theory of planned behavior. Additionally, the individual
characteristics of the culture of individual employees have not yet been taken into
account. Future research in the field of the relation of culture and information security
behavior should include: (1) The investigation of further theoretical mechanisms and
their cultural dependency regarding information security behavior, such as theories
explaining the shaping process of behavior by social factors [6]. (2) A focus on the
influence of individual manifestations of cultural artifacts on behavior, in order not to
make assumptions about dependencies between culture and individual behavior based
on only national cultural values [55].
The topic of information security culture in organizations includes articles about the
structure of a security culture within organizations and its influencing factors. Research
in this area could benefit from an increased use of established organizational culture
theories or culture artifacts not only to validate the already developed information
security culture frameworks but also to draw parallels to organizational culture [35].
Furthermore, previous studies have predominantly focused on looking at the whole
organization and its security culture. Differences in individual sub-units, such as
different professions or demographic or geographic factors are poorly represented The
focus of future research in this area should therefore provide: (1) A validation of the
previously developed frameworks in the security culture environment, taking into
account established cultural artifacts in the organizational culture domain. (2) A more
specific investigation of security culture in different sub-units of organizations and their
factors influencing each other [26].
The theme about the influence of culture on information security awareness
programs has been poorly established in current research, with only 8 articles published
Overall, it is visible that the relationships between cultural artifacts and ISA have been
lack of analysis. On a national cultural level, it is evident, that culture has an influence
on ISA. Rather a few studies exist in connection with organizational factors, culture
and ISA, as well as the influence of individual cultural values on ISA. Accordingly, our
proposal for future research in this area broadly determined. We suggest that future
research on the relationship between culture and ISA should focus on: (1) The
interrelationships of culture at the national, organizational, and individual/subunit
levels with ISA, taking into account established ISA approaches, in order to provide
more insights into the interrelationships of these two aspects [40].
Articles examining the effect of culture on information security governance are
characterized by the study of factors influencing culture on governance structures or
structures of the organization itself. Likewise, a relatively large number of articles on
the influence of culture on information security management can be identified. What
has been less considered so far is the conceptualization and review of methods and tools
for reviewing security measures under consideration of cultural differences in order to
build an international, cross-cultural monitoring of the effectiveness of security
measures [50]. Consequently, we suggest that future research focus on the relationship
between cultural artifacts and the conceptualization and review of assessment and
monitoring approaches. Our results are summarized in table 3.
61
� Table 3. Research agenda.
Theme We need to… Limitations to Overcome
The Influence (1) Further investigate theoretical (1) A focus on quantitative
of Culture on mechanisms and their cultural dependency studies
Information regarding information security behavior. (2) The consideration of cultural
Security Policy artefacts in studies about
(2) Analyze the influence of individual
Compliance information security behavior
cultural values on behavior.
Behavior and their relation to culture
Information (1) Validate previously developed (1) Limitations of conceptual
Security frameworks in the security culture Frameworks
Culture in environment, taking into account
(2) The distinction between
Organizations established cultural artifacts.
different types of organizations
(2) Investigate security culture in different
sub-units of organizations and their factors
influencing each other.
The Influence (1) Analyze the interrelationships of (1) A focus on national cultural
of Culture on culture at the national, organizational, and values
Information individual/subunit levels
(2) A focus on quantitative
Security (2) Go beyond quantitative approaches studies
Awareness and use a greater variety of qualitative and
Programs quantitative approaches.
The Effect of (1) Further analyze the relationship (1) The lack of theoretical
Culture on between cultural artifacts and the approaches in this research
Information conceptualization and review of stream
Security assessment and monitoring approaches.
(2) A focus on national cultural
Governance (2) Measure culture not only on values
organizational, but individual level to
better understand the individual effect of
culture on governance structures.
6 Conclusion
The purpose of this study was to analyze current research on the relationships between
information security and culture. Our study focuses on the interrelationships between
information security and culture and thus represents an extension to existing literature
reviews in the security context. By applying a structural framework, it provides an
overview of the current state of research and its core topics, as well as existing research
gaps. Based on the literature we identified, we were able to identify open points in the
identified core topics and highlight potential for future research. Overall, limitations
62
�remain to be identified in the context of our study. Our findings are limited to the
selected areas of outlets and keywords that we considered in our search for relevant
literature. Future research in specific research areas, will need to be further elaborated
to include a wider scope of other, IS conferences, and journals potentially relevant to
the specific case.
References
1. Moody, G.D., Siponen, M., Pahnila, S.: Toward a Unified Model of Information Security
Policy Compliance. MIS Quarterly 42, 285–311 (2018)
2. D’Arcy, J., Hovav, A.: Does One Size Fit All? Examining the Differential Effects of IS
Security Countermeasures. Journal of Business Ethics 89, 59–71 (2009)
3. Siponen, M., Vance, A.: Neutralization: New Insights into the Problem of Employee
Information Systems Security Policy Violations. MIS Quarterly 34, 487 (2010)
4. Puhakainen, P., Siponen, M.: Improving Employees' Compliance Through Information
Systems Security Training: An Action Research Study. MIS Quarterly 34, 757 (2010)
5. Aurigemma, S., Mattson, T.: Generally Speaking, Context Matters: Making the Case for a
Change from Universal to Particular ISP Research. Journal of the Association for
Information Systems (2019)
6. Karlsson, F., Åström, J., Karlsson, M.: Information security culture – state-of-the-art
review between 2000 and 2013. Info and Computer Security 23, 246–285 (2015)
7. Mahfuth, A., Yussof, S., Baker, A.A., Ali, N.'a.: A systematic literature review:
Information security culture. In: Social transformation through data science. ICRIIS 2017 :
5th International Conference on Research and Innovation in Information Systems : Adya
Hotel, Langkawi, Kedah, 16-17th July 2017, pp. 1–6. IEEE, Piscataway, NJ (2017)
8. Hina, S., Dominic, P.D.D.: Information security policies’ compliance: a perspective for
higher education institutions. Journal of Computer Information Systems 60, 201–211
(2020)
9. Leidner, D.F., Kayworth, T.: Review: a review of culture in information systems research:
toward a theory of information technology culture conflict. MIS Quarterly 30 (2006)
10. Jane Webster, Richard T. Watson: Analyzing the Past to Prepare for the Future: Writing a
Literature Review. MIS Quarterly 26 (2002)
11. Straub, D., Loch, K., Evaristo, R., Karahanna, E., Srite, M.: Toward a Theory-Based
Measurement of Culture. Journal of Global Information Management 10, 13–23 (2002)
12. Hofstede, G.: Culture's consequences. Comparing values, behaviors, institutions, and
organizations across nations. Sage Publ, Thousand Oaks, Calif. (2011)
13. Nonaka, I.: A Dynamic Theory of Organizational Knowledge Creation. Organization
Science 5, 14–37 (1994)
14. Schein, E.H.: Organizational culture and leadership. Jossey-Bass, San Francisco (1997)
15. Sabel, N., Rietz, S.: Interkulturelle Kompetenz: Einfluss der Kultur auf das internationale
Management. Einfluss der Kultur auf das internationale Management. Diplomica Verlag
GmbH, Hamburg (2010)
16. Tylor, E.B.: Primitive culture. Researches into the development of mythology, philosophy,
religion, art, and custom. Cambridge Univ. Press, Cambridge (2010)
63
�17. Keller, E. von: Die kulturvergleichende Managementforschung. Gegenstand, Ziele,
Methoden, Ergebnisse und Erkenntnisprobleme einer Forschungsrichtung. Haupt, Bern
(1982)
18. Karahanna, E., Evaristo, J.R., Srite, M.: Levels of Culture and Individual Behavior.
Journal of Global Information Management 13, 1–20 (2005)
19. Dinev, T., Goo, J., Hu, Q., Nam, K.: User behaviour towards protective information
technologies: the role of national cultural differences. Info Systems J 19, 391–412 (2009)
20. Hovav, A., D’Arcy, J.: Applying an extended model of deterrence across cultures: An
investigation of information systems misuse in the U.S. and South Korea. Information &
Management 49, 99–110 (2012)
21. Hovav, A., D’Arcy, J., Lee, K.: A Cross-Cultural Analysis of Security Countermeasure
Effectiveness. In: WISP 2007 (2007)
22. Cram, W.A., D'Arcy, J., Proudfoot, J.G.: Seeing the Forest and the Trees: A Meta-Analysis
of the Antecedents to Information Security Policy Compliance. MISQ 43, 525–554 (2019)
23. Rocha Flores, W., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in
organizations: Investigating the effect of behavioral information security governance and
national culture. Computers & Security 43, 90–110 (2014)
24. AlKalbani, A., Deng, H., Kam, B.: Organisational Security Culture and Information
Security Compliance for E-Government Development: The Moderating Effect of Social
Pressure. In: PACIS, p. 65 (2015)
25. Amankwa, E., Loock, M., Kritzinger, E.: Establishing information security policy
compliance culture in organizations. Info and Computer Security 26, 420–436 (2018)
26. Ramachandran, S., Rao, C., Goles, T., Dhillon, G.: Variations in Information Security
Cultures across Professions: A Qualitative Study. CAIS 33 (2013)
27. Ramachandran, S., Rao, S.V., Goles, T.: Information Security Cultures of Four
Professions: A Comparative Study. In: Proceedings of the 41st Annual Hawaii
International Conference on System Sciences (HICSS 2008), p. 454. IEEE (2008 - 2008)
28. van Niekerk, J., Solms, R. von: A holistic framework for the fostering of an information
security sub-culture in organizations. In: Issa, 1 (2005)
29. da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures
and subcultures. Computers & Security 70, 72–94 (2017)
30. Nel, F., Drevin, L.: Key elements of an information security culture in organisations. Info
and Computer Security 27, 146–164 (2019)
31. van Niekerk, J.F., Solms, R. von: Information security culture: A management perspective.
Computers & Security 29, 476–486 (2010)
32. Williams, P.A.: What Does Security Culture Look Like For Small Organizations? Security
Research Institute (SRI), Edith Cowan University (2009)
33. Al Natheer, M., Chan, T., Nelson, K.: Understanding and measuring information security
culture (2012)
34. Dojkovski, S., Lichtenstein, S., Warren, M.J.: Fostering information security culture in
small and medium size enterprises: an interpretive study in Australia (2007)
35. Dhillon, G., Syed, R., Pedron, C.: Interpreting information security culture: An
organizational transformation case study. Computers & Security 56, 63–69 (2016)
36. Ruighaver, A.B., Maynard, S.B., Chang, S.: Organisational security culture: Extending the
end-user perspective. Computers & Security 26, 56–62 (2007)
64
�37. Ruighaver, A.B., Maynard, S.B.: Organizational Security Culture: More Than Just an End-
User Phenomenon. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S.
(eds.) Security and Privacy in Dynamic Environments, pp. 425–430. Springer US, Boston,
MA (2006)
38. Ashenden, D., Sasse, A.: CISOs and organisational culture: Their own worst enemy?
Computers & Security 39, 396–405 (2013)
39. Cameron, K., Quinn, R., DeGraff, J., Thakor, A.: Competing Values Leadership. Edward
Elgar Publishing (2006)
40. Wiley, A., McCormac, A., Calic, D.: More than the individual: Examining the relationship
between culture and Information Security Awareness. Computers & Security 88, 101640
(2020)
41. Lin, H.-C.: An investigation of the effects of cultural differences on physicians’
perceptions of information technology acceptance as they relate to knowledge management
systems. Computers in Human Behavior 38, 368–380 (2014)
42. M. Karjalainen, M. Siponen, Petri Puhakainen, S. Sarker: One Size Does Not Fit All:
Different Cultures Require Different Information Systems Security Interventions. In:
PACIS (2013)
43. D'Arcy, J., Hovav, A., Galletta, D.: User Awareness of Security Countermeasures and Its
Impact on Information Systems Misuse: A Deterrence Approach. Information Systems
Research 20, 79–98 (2009)
44. Shaaban, H., Conrad, M.: Democracy, culture and information security: a case study in
Zanzibar. Info Mngmnt & Comp Security 21, 191–201 (2013)
45. Ali, M., Brooks, L.: A situated cultural approach for cross‐cultural studies in IS. Journal of
Enterprise Information Management 22, 548–563 (2009)
46. Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Formulating information systems
risk management strategies through cultural theory. Info Mngmnt & Comp Security 14,
198–217 (2006)
47. Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing Employee Compliance with Information
Security Policies: The Critical Role of Top Management and Organizational Culture*.
Decision Sciences 43, 615–660 (2012)
48. Knapp, K.J., Marshall, T.E., Kelly Rainer, R., Nelson Ford, F.: Information security:
management's effect on culture and policy. Info Mngmnt & Comp Security 14, 24–36
(2006)
49. Werlinger, R., Hawkey, K., Beznosov, K.: An integrated view of human, organizational,
and technological challenges of IT security management. Info Mngmnt & Comp Security
17, 4–19 (2009)
50. Da Veiga, A., Eloff, J.H.P.: A framework and assessment instrument for information
security culture. Computers & Security 29, 196–207 (2010)
51. Dojkovski, S., Lichtenstein, S., Warren, M.: Developing information security culture in
small and medium size enterprises: Australian case studies. In: ECIW2008-7th European
Conference on Information Warfare and Security: ECIW2008. Reading: Academic
Conferences Limited, pp. 55–66 (2008)
52. Lapke, M.: Power Relationships in Information Systems Security Policy Formulation and
Implementation (2008)
65
�53. Da Veiga, A.: The Influence of Information Security Policies on Information Security
Culture: Illustrated through a Case Study. In: HAISA, pp. 22–33 (2015)
54. Johnsen, S.O., Hansen, C.W., Nordby, Y., Dahl, M.B.: Measurement and Improvement of
Information Security Culture. Measurement and Control 39, 52–56 (2006)
55. Yoo, B., Donthu, N., Lenartowicz, T.: Measuring Hofstede’s five dimensions of cultural
values at the individual level: Development and validation of CVSCALE. Journal of
international consumer marketing 23, 193–210 (2011)
66
�Appendix A: Analyzed Articles
Table 4. Concept matrix: The influence of culture on information security policy compliance
behavior. Note: NA = Not Applicable
The Influence of Culture on Information Security Policy Compliance Behavior
Paper Level of Method Theory Cultural Artefact
Analysis
(Hovav and National Survey Deterrence Hofstedes Cultural
D'Arcy, 2012) Theory Dimensions
(Yayla, 2011) National Survey Institutional Hofstedes Cultural
Theory Dimensions
(Arage et al. National Survey Rational Choice NA
2015) Theory
(Connolly et al. National Qualitative NA Hofstedes Cultural
2019) Dimensions
(Flores et al. Organizational Mixed Method NA NA
2014)
(Harris et al. National Survey NA Hofstedes Cultural
2010) Dimensions
(Flores et al. National Survey Theory of Hofstedes Cultural
2015) planned bevahior Dimensions
(AlKalbani et al. Organizational Survey Technology- NA
2015) organization-
environment
(TOE) Theory
(Dan and Organizational Case Study Theory of NA
Lindström, 2011) (Typology) organizational
behaviour
(Menard et al. Organizational Survey Protection Hostedes Cultural
2018) Motivation Dimensions
Theory
(Vroom and Von Organizational Conceptual NA NA
Solms, 2004) Framework
(Dinev et al. National Survey Theory of Hofstedes Cultural
2009a) planned behavior Dimensions
(Da Veiga, 2015) Organizational Case Study NA NA
(Quantitative)
(Crossler et al. NA Comment NA NA
2013)
(Cockroft and National Survey NA Hofstedes Cultural
Rekker, 2016) Dimensions
(Connolly et al. Organizational Qualitative Deterrence NA
2017) Theory
67
�(Dols and National Survey NA Hofstedes Cultural
Silvius, 2010) Dimensions
(Warkentin et al. National Survey Deterrence Hofstedes Cultural
2012) Theory Dimensions
(Khaled and Organizational Framework NA NA
Lane, 2008)
(Hwee-Joo Kam National Comment Neo Institutional Hofstedes Cultural
et al. 2014) Theory Dimensions
(Hwee-Joo Kam National Survey Organizational Cross-Cultural
et al. 2015) Norm Theory Framework (CVF)
(Arage et al. National Survey Rational Choice Hofstedes Cultural
2016) Theory Dimensions
(Chen et al. National Survey Protection Hofstedes Cultural
2016) motivation theory Dimensions
(Vance et al. National Survey Deterrence, Hofstedes Cultural
2020) Moral Beliefs, Dimensions
Neutralization
(Lin et al. 2020) National Qualitative NA Organizational behavior
theory (Schein)
(Cram et al. National Meta-Analysis NA NA
2020)
ISCA
(Da Veiga, 2016) Individual Survey questionnaire NA
(Karjalainen et Hofstedes Cultural
al. 2020) National Qualitative NA Dimensions
(Amankwa et al. Involvement Organizational behavior
2018) Organizational Survey theory theory (Schein)
(Dinev et al. Theory of Hofstedes Cultural
2009b) National Survey planned behavior Dimensions
(Alfawaz et al. Case Study Classification
2010 Organizational (Qualitative) Theory NA
Table 5. Concept matrix: Information security culture in organizations.
Note: NA = Not Applicable
Information Security Culture in Organizations
Paper Level of Method Theory Cultural Artefact
Analysis
(Da Veiga and Organizational Conceptual NA NA
Eloff, 2010) Framework
(Amjad et al. 2017) Organizational Literature NA NA
Review
(Ashenden and Organizational Qualitative NA NA
Sasse, 2013)
68
�(Da Veiga and Individual / Survey NA NA
Martins, 2017) Subunit
(AlHogail, 2015) Organizational Conceptual NA NA
Framework
(Lim et al. 2010) Organizational Case Study NA NA
(Qualitative)
(Van Niekerk and Organizational Conceptual NA NA
Von Solms, 2010) Framework
(Dhillon et al. Organizational Case Study Dimensions of Theory of cultural
2016) (Qualitative) Organizational message streams
Culture
(Ruighaver et al. Organizational Conceptual Organizational NA
2007) Framework Culture
Framework
(D'Arcy and Organizational Survey NA NA
Greene, 2014)
(Kolkowska, 2011) Individual / Case Study NA NA
Subunit (Qualitative)
(Alnatheer et al. Organizational Survey NA NA
2012)
(Lacey, 2010) Organizational Literature NA NA
Review
(Ramachandran et Individual / Qualitative NA NA
al. 2013) Subunit
(Dojkovski et al. Organizational Case Study NA NA
2007) (Mixed
Method)
(Martins and Da Organizational Survey NA NA
Veiga , 2015)
(Shuchih and Chin- Organizational Conceptual NA NA
Shien, 2007) Framework
(Van Niekerk and Individual / Conceptual NA NA
Von Solms, 2005) Subunit Framework
(Van Niekerk and Organizational Conceptual NA Organizational Cultural
Von Solms, 2006) Framework Framework
(Zakaria, 2006) Individual / Conceptual NA NA
Subunit Framework
(Alhogail and Organizational Literature NA NA
Mirza, 2014) Review
(Alhogail and Organizational Literature NA NA
Mirza, 2014) Review
(Alnatheer and Organizational Conceptual NA NA
Nelson, 2009) Framework
69
�(Malcolmson, Organizational Qualitative NA NA
2009)
(Ramachandran et Individual / Qualitative NA NA
al. 2008) Subunit
(Schlienger and Organizational Conceptual NA Organizational Cultural
Teufel, 2003) Framework Framework
(Zakaria, 2004) Organizational Comment NA Organizational Cultural
Framework
(Ruighaver and Organizational Conceptual NA NA
Maynard, 2006) Framework
(Thomson et al. Organizational Conceptual NA NA
2006) Framework
(Martins and Eloff, Organizational Conceptual NA NA
2002) Framework
(Da Veiga et al. Organizational Survey OISCM Model NA
2020)
(Nel and Drevin, Organizational Qualitative PMT Organizational Cultural
2019) Framework
(Tang et al. 2016) Organizational Case Study NA Hofstedes Cultural
Dimensions
(Da Veiga, 2018) Organizational Survey ISCA NA
Questionnaire
(Connolly and Organizational Mixed Method NA NA
Lang, 2013)
(Lim et al. 2009) Organizational Literature NA Organizational Cultural
Review Framework
(Ngo et al. 2005) Organizational Conceptual NA NA
Framework
(Van Niekerk and Organizational Design Science NA Organizational Cultural
Von Solms, 2013) Framework
(Williams, 2009) Organizational Conceptual NA Organizational Cultural
Framework Framework
Table 6. Concept matrix: The influence of culture on information security awareness programs
Note: NA = Not Applicable
The Influence of Culture on Information Security Awareness Programs
Paper Level of Method Theory Cultural Artefact
Analysis
(Lin and Hsien- National Survey Theory of Hofstedes Cultural
Cheng, 2014) planned behavior Dimensions
(Plachkinova and National Survey NA Hofstedes Cultural
Andrés, 2015) Dimensions
70
�(Karjalainen et National Conceptual NA NA
al. 2013) Framework
(Flores et al. Organizational Survey NA NA
2016)
(Pienta et al. Organizational Experiment SETA Competing Value
2017) Framework (Cameron &
Quinn 2006)
(Chen et al. National Experiment NA Hofstedes Cultural
2008) Dimensions
(Schmidt et al. National Survey NA NA
2008)
(Wiley et al. Individual Survey HAIS-Q Organizational Security
2020) Culture Measure.
Table 7. Concept matrix: The effect of culture on information security governance
Note: NA = Not Applicable
The Effect of Culture on Information Security Governance
Paper Level of Method Theory Cultural Artefact
Analysis
(Da Veiga and Organizational Conceptual NA NA
Eloff, 2007) Framework
(Werlinger et Organizational Qualitative NA NA
al. 2009)
(Shaaban and National Mixed Method NA Hofstedes Cultural Dimensions
Conrad, 2013)
(Tsohou et al. National Conceptual NA NA
2006) Framework
(Da Veiga and Organizational Case Study NA NA
Martins, 2015) (Quantitative)
(Knapp et al. Organizational Mixed Method NA NA
2006)
(Da Veiga et al. Organizational Survey NA NA
2007)
(Bess, 2009) Organizational Case Study Structuration NA
(Qualitative) Theory
(Martin and Organizational Conceptual NA NA
Eloff, 2002) Framework
(Okere et al. Organizational Qualitative NA NA
2012)
(Von Solms and Organizational Comment NA Schein (1992)
von Solms
2004)
71
� (Ali and National Conceptual Structuration Straub 2002
Brooks, 2009) Framework Theory
(Hu et al. 2012) Organizational Survey TPB NA
(D Arcy et al. National Survey Deterrence Hofstedes Cultural Dimensions
2007) Theory
(Lapke and Organizational Case Study NA Circuits of Power (Clegg 2002)
Dhillon, 2008) (Qualitative)
(Hina et al. Organizational Literature NA NA
2020) Review
(Corriss, 2010) Organizational Case Study Broken NA
(Qualitative) Window
Theory
(Dojkovski et Organizational Conceptual NA NA
al. 2007) Framework
(Ghernaouti et Organizational Case Study NA NA
al. 2010) (Qualitative)
(Johnsen et al. Organizational Conceptual NA Hudson (2002)
2006) Framework
(Luo et al. Organizational Survey NA Hofstedes Cultural Dimensions
2009)
Appendix B: Identified Articles
1. Lin, H.-C.: An investigation of the effects of cultural differences on physicians’ perceptions of
information technology acceptance as they relate to knowledge management systems. Computers
in Human Behavior 38, 368–380 (2014)
2. Werlinger, R., Hawkey, K., Beznosov, K.: An integrated view of human, organizational, and
technological challenges of IT security management. Info Mngmnt & Comp Security 17, 4–19
(2009)
3. Veiga, A.D., Eloff, J.H.P.: An Information Security Governance Framework. Information
Systems Management 24, 361–372 (2007)
4. Mahfuth, A., Yussof, S., Baker, A.A., Ali, N.'a.: A systematic literature review: Information
security culture. In: Social transformation through data science. ICRIIS 2017 : 5th International
Conference on Research and Innovation in Information Systems : Adya Hotel, Langkawi, Kedah,
16-17th July 2017, pp. 1–6. IEEE, Piscataway, NJ (2017)
5. Da Veiga, A., Eloff, J.H.P.: A framework and assessment instrument for information security
culture. Computers & Security 29, 196–207 (2010)
6. Amankwa, E., Loock, M., Kritzinger, E.: Establishing information security policy compliance
culture in organizations. Info and Computer Security 26, 420–436 (2018)
7. J. Malcolmson: What is security culture? Does it differ in content from general organisational
culture? In: 43rd Annual 2009 International Carnahan Conference on Security Technology, pp.
361–366 (2009)
72
�8. Bess, D.: Understanding information security culture for strategic use: a case study. AMCIS 2009
Proceedings, 219 (2009)
9. Alnatheer, M., Nelson, K.: Proposed framework for understanding information security culture
and practices in the Saudi context (2009)
10. AlHogail, A., Mirza, A.: Information security culture: A definition and a literature review. In:
2014 World Congress on Computer Applications and Information Systems (WCCAIS), pp. 1–7.
IEEE (2014 - 2014)
11. AlHogail, A., Mirza, A.: A FRAMEWORK OF INFORMATION SECURITY CULTURE
CHANGE. Journal of Theoretical & Applied Information Technology 64 (2014)
12. Zakaria, O.: Internalisation of Information Security Culture amongst Employees through Basic
Security Knowledge. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.)
Security and Privacy in Dynamic Environments, pp. 437–441. Springer US, Boston, MA (2006)
13. van Niekerk, J., Solms, R. von: Understanding Information Security Culture: A Conceptual
Framework. In: ISSA, pp. 1–10 (2006)
14. van Niekerk, J., Solms, R. von: A holistic framework for the fostering of an information security
sub-culture in organizations. In: Issa, 1 (2005)
15. Ernest Chang, S., Lin, C.‐S.: Exploring organizational culture for information security
management. Industr Mngmnt & Data Systems 107, 438–458 (2007)
16. Martins, N., da Veiga, A.: An Information Security Culture Model Validated with Structural
Equation Modelling. In: HAISA, pp. 11–21 (2015)
17. Dojkovski, S., Lichtenstein, S., Warren, M.J.: Fostering information security culture in small and
medium size enterprises: an interpretive study in Australia (2007)
18. Da Veiga, A.: The Influence of Information Security Policies on Information Security Culture:
Illustrated through a Case Study. In: HAISA, pp. 22–33 (2015)
19. Dinev, T., Goo, J., Hu, Q., Nam, K.: User behaviour towards protective information technologies:
the role of national cultural differences. Info Systems J 19, 391–412 (2009)
20. Martins, N., Da Veiga, A., Eloff, J.H.P.: Information security culture-validation of an assessment
instrument. Southern African Business Review 11, 147–166 (2007)
21. McCoy, S., Galletta, D.F., King, W.R.: Integrating National Culture into IS Research: The Need
for Current Individual Level Measures. CAIS 15 (2005)
22. Ramachandran, S., Rao, C., Goles, T., Dhillon, G.: Variations in Information Security Cultures
across Professions: A Qualitative Study. CAIS 33 (2013)
23. Dinev, T., Goo, J., Hu, Q., Nam, K.: User behaviour towards protective information technologies:
the role of national cultural differences. Info Systems J 19, 391–412 (2009)
24. Lacey, D.: Understanding and transforming organizational security culture. Info Mngmnt &
Comp Security 18, 4–13 (2010)
25. Al Natheer, M., Chan, T., Nelson, K.: Understanding and measuring information security culture
(2012)
26. Vroom, C., Solms, R. von: Towards information security behavioural compliance. Computers &
Security 23, 191–198 (2004)
27. Pienta, D., Pu, W., Purvis, R.: The Impact of Culture on Information Security: Exploring the
Tension of Flexibility and Control. In: ICIS 2017 (2017)
28. Menard, P., Warkentin, M., Lowry, P.B.: The impact of collectivism and psychological
ownership on protection motivation: A cross-cultural examination. Computers & Security 75,
147–166 (2018)
73
�29. Harnesk, D., Lindström, J.: Shaping security behaviour through discipline and agility. Info
Mngmnt & Comp Security 19, 262–276 (2011)
30. Rocha Flores, W., Ekstedt, M.: Shaping intention to resist social engineering through
transformational leadership, information security culture and awareness. Computers & Security
59, 26–44 (2016)
31. Kolkowska, E.: Security subcultures in an organization-exploring value conflicts. In: ECIS 2011
Proceedings. 243. (2011)
32. D'Arcy, J., Greene, G.: Security culture and the employment relationship as drivers of employees’
security compliance. Info Mngmnt & Comp Security 22, 474–489 (2014)
33. Ruighaver, A.B., Maynard, S.B., Chang, S.: Organisational security culture: Extending the end-
user perspective. Computers & Security 26, 56–62 (2007)
34. AlKalbani, A., Deng, H., Kam, B.: Organisational Security Culture and Information Security
Compliance for E-Government Development: The Moderating Effect of Social Pressure. In:
PACIS, p. 65 (2015)
35. M. Karjalainen, M. Siponen, Petri Puhakainen, S. Sarker: One Size Does Not Fit All: Different
Cultures Require Different Information Systems Security Interventions. In: PACIS (2013)
36. Rocha Flores, W., Holm, H., Nohlberg, M., Ekstedt, M.: Investigating personal determinants of
phishing and the effect of national culture. Info and Computer Security 23, 178–199 (2015)
37. Dhillon, G., Syed, R., Pedron, C.: Interpreting information security culture: An organizational
transformation case study. Computers & Security 56, 63–69 (2016)
38. Harris, A.L., Yates, D., Harris, J.M., Quaresma, R.: Information System Ethical Attitudes: A
Cultural Comparison of the United States, Spain, and Portugal. In: AMCIS, p. 234 (2010)
39. Knapp, K.J., Marshall, T.E., Kelly Rainer, R., Nelson Ford, F.: Information security:
management's effect on culture and policy. Info Mngmnt & Comp Security 14, 24–36 (2006)
40. Thomson, K.-L., Solms, R. von: Information security obedience: a definition. Computers &
Security 24, 69–75 (2005)
41. Rocha Flores, W., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in
organizations: Investigating the effect of behavioral information security governance and
national culture. Computers & Security 43, 90–110 (2014)
42. van Niekerk, J.F., Solms, R. von: Information security culture: A management perspective.
Computers & Security 29, 476–486 (2010)
43. Karlsson, F., Åström, J., Karlsson, M.: Information security culture – state-of-the-art review
between 2000 and 2013. Info and Computer Security 23, 246–285 (2015)
44. Connolly, L.Y., Lang, M., Wall, D.S.: Information Security Behavior: A Cross-Cultural
Comparison of Irish and US Employees. Information Systems Management 36, 306–322 (2019)
45. Tilahun Muluneh Arage, France Bélanger, Tibebe Beshah: Influence of National Culture on
Employees’ Compliance with Information Systems Security (ISS) Policies: Towards ISS Culture
in Ethiopian Companies. In: AMCIS (2015)
46. da Veiga, A., Martins, N.: Improving the information security culture through monitoring and
implementation actions illustrated through a case study. Computers & Security 49, 162–176
(2015)
47. Plachkinova, Miloslava and Andrés, Steven: Improving Information Security Training: An
Intercultural Perspective. In: PACIS 2015 Proceedings 167 (2015)
74
�48. Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Formulating information systems risk
management strategies through cultural theory. Info Mngmnt & Comp Security 14, 198–217
(2006)
49. Yayla, A.: ENFORCING INFORMATION SECURITY POLICIES THROUGH CULTURAL
BOUNDARIES: A MULTINATIONAL COMPANY APPROACH. In: ECIS 2011 Proceedings.
243. (2011)
50. Lim, J.S., Ahmad, A., Chang, S., and Maynard, S.: Embedding Information Security Culture
Emerging Concerns and Challenges. In: PACIS 2010 Proceedings. 43. (2010)
51. AlHogail, A.: Design and validation of information security culture framework. Computers in
Human Behavior 49, 567–575 (2015)
52. Shaaban, H., Conrad, M.: Democracy, culture and information security: a case study in Zanzibar.
Info Mngmnt & Comp Security 21, 191–201 (2013)
53. da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and
subcultures. Computers & Security 70, 72–94 (2017)
54. Ashenden, D., Sasse, A.: CISOs and organisational culture: Their own worst enemy? Computers
& Security 39, 396–405 (2013)
55. Arage, T., Belanger, F., Beshah, T.: Influence of National Culture on Employees’ Compliance
with Information Systems Security (ISS) Policies: Towards ISS Culture in Ethiopian Companies.
In: AMCIS (2015)
56. Williams, P.A.: What Does Security Culture Look Like For Small Organizations? Security
Research Institute (SRI), Edith Cowan University (2009)
57. van Niekerk, J., Solms, R. von: A theory based approach to information security culture change.
Information (Japan) 16, 3907–3930 (2013)
58. Ngo, L., Zhou, W., Warren, M.: Understanding Transition towards Information Security Culture
Change. In: AISM, pp. 67–73 (2005)
59. Luo, X., Warkentin, M., Johnston, A.C.: The impact of national culture on workplace privacy
expectations in the context of information security assurance. In: AMCIS 2009, p. 521 (2009)
60. Lim, J.S., Chang, S., Maynard, S., Ahmad, A.: Exploring the Relationship between
Organizational Culture and Information Security Culture. Security Research Institute (SRI),
Edith Cowan University (2009)
61. Johnsen, S.O., Hansen, C.W., Nordby, Y., Dahl, M.B.: Measurement and Improvement of
Information Security Culture. Measurement and Control 39, 52–56 (2006)
62. Ghernouti-Hélie, S., Tashi, I., Simms, D.: A Multi-stage Methodology for Ensuring Appropriate
Security Culture and Governance. In: 2010 International Conference on Availability, Reliability
and Security, pp. 353–360. IEEE (2010 - 2010)
63. Dojkovski, S., Lichtenstein, S., Warren, M.: Developing information security culture in small
and medium size enterprises: Australian case studies. In: ECIW2008-7th European Conference
on Information Warfare and Security: ECIW2008. Reading: Academic Conferences Limited, pp.
55–66 (2008)
64. Corriss, L.: Information security governance. In: Bishop, M. (ed.) Proceedings of the 2010
Workshop on Governance of Technology, Information and Policies - GTIP '10, pp. 35–41. ACM
Press, New York, New York, USA (2010)
65. Connolly, Lena and Lang, Michael: Information Systems Security: The Role of Cultural Aspects
in Organizational Settings. In: WISP 2012 Proceedings. 30. (2012)
75
�66. Lena Connolly, M. Lang: Investigation of cultural aspects within information systems security
research. 2012 International Conference for Internet Technology and Secured Transactions, 105–
111 (2012)
67. Alfawaz, S., Nelson, K., Mohannak, K.: Information security culture: a behaviour compliance
conceptual framework. In: Information Security 2010: AISC’10 Proceedings of the Eighth
Australasian Conference on Information Security [Conferences in Research and Practice in
Information Technology, Volume 105], pp. 51–60 (2010)
68. Karjalainen, M., Siponen, M., Puhakainen, P., Sarker, S.: Universal and Culture-dependent
Employee Compliance of Information Systems Security Procedures. Journal of Global
Information Technology Management 23, 5–24 (2020)
69. da Veiga, A.: An approach to information security culture change combining ADKAR and the
ISCA questionnaire to aid transition to the desired culture. Info and Computer Security 26, 584–
612 (2018)
70. Tang, M., Li, M.’g., Zhang, T.: The impacts of organizational culture on information security
culture: a case study. Inf Technol Manag 17, 179–186 (2016)
71. da Veiga, A.: Comparing the information security culture of employees who had read the
information security policy and those who had not. Info and Computer Security 24, 139–151
(2016)
72. Nel, F., Drevin, L.: Key elements of an information security culture in organisations. Info and
Computer Security 27, 146–164 (2019)
73. Cram, W.A., D'Arcy, J., Proudfoot, J.G.: Seeing the Forest and the Trees: A Meta-Analysis of
the Antecedents to Information Security Policy Compliance. MISQ 43, 525–554 (2019)
74. Lin, C., Kunnathur, A.S., Li, L.: The Cultural Foundation of Information Security Behavior.
Journal of Database Management 31, 21–41 (2020)
75. Vance, A., Siponen, M.T., Straub, D.W.: Effects of sanctions, moral beliefs, and neutralization
on information security policy violations across cultures. Information & Management 57, 103212
(2020)
76. Hina, S., Dominic, P.D.D.: Information security policies’ compliance: a perspective for higher
education institutions. Journal of Computer Information Systems 60, 201–211 (2020)
77. da Veiga, A., Astakhova, L.V., Botha, A., Herselman, M.: Defining organisational information
security culture—Perspectives from academia and industry. Computers & Security 92, 101713
(2020)
78. Wiley, A., McCormac, A., Calic, D.: More than the individual: Examining the relationship
between culture and Information Security Awareness. Computers & Security 88, 101640 (2020)
79. Chen, Y., Zahedi, F.M.: Individuals' Internet Security Perceptions and Behaviors: Polycontextual
Contrasts Between the United States and China. MISQ 40, 205–222 (2016)
80. Arage, T.M., Belanger, F., and Tesema, T.B.: Investigating the Moderating Impact of National
Culture in Information Systems Security Policy Violation: The Case of Italy and Ethiopia"
(2016). In: MCIS 2016 Proceedings. 56. (2016)
81. Kam, H.-J., Katerattanakul, P., Hong, S.-G.: A Tale of Two Cities: Information Security Policy
Compliance of the Banking Industry in the United States and South Korea. University of
Münster, Münster, Germany (2015)
82. Hwee-Joo Kam, Pairin Katerattanakul, Soongoo Hong: The Three Musketeers: Impacts of
National Culture, Organizational Norms and Institutional Environment on Information Security
Policy Compliance. In: WISP 2014 (2014)
76
�83. K. Alshare, P. Lane: A Conceptual Model for Explaining Violations of the Information Security
Policy (ISP): A Cross Cultural Perspective. In: AMCIS (2008)
84. Lapke, M.: Power Relationships in Information Systems Security Policy Formulation and
Implementation (2008)
85. M. Warkentin, Nirmalee Malimage, Kalana Malimage: Impact of Protection Motivation and
Deterrence on IS Security Policy Compliance: A Multi-Cultural View. In: WISP 2012 (2012)
86. T. Dols, A. Silvius: Exploring the Influence of National Cultures on Non-Compliance Behavior.
Communications of the IIMA 10, 2 (2010)
87. Hovav, A., D’Arcy, J., Lee, K.: A Cross-Cultural Analysis of Security Countermeasure
Effectiveness. In: WISP 2007 (2007)
88. Martins, A., Elofe, J.: Information security culture. In: Security in the information society, pp.
203–214. Springer (2002)
89. Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing Employee Compliance with Information
Security Policies: The Critical Role of Top Management and Organizational Culture*. Decision
Sciences 43, 615–660 (2012)
90. Wetzels, Odekerken-Schröder, van Oppen: Using PLS Path Modeling for Assessing Hierarchical
Construct Models: Guidelines and Empirical Illustration. MIS Quarterly 33, 177 (2009)
91. Yuryna Connolly, L., Lang, M., Gathegi, J., Tygar, D.J.: Organisational culture, procedural
countermeasures, and employee security behaviour. Info and Computer Security 25, 118–136
(2017)
92. Cockcroft, S., Rekker, S.: The relationship between culture and information privacy policy.
Electron Markets 26, 55–72 (2016)
93. Chen, C.C., Medlin, B.D., Shaw, R.S.: A cross-cultural investigation of situational information
security awareness programs. Info Mngmnt & Comp Security (2008)
94. Ali, M., Brooks, L.: A situated cultural approach for cross‐cultural studies in IS. Journal of
Enterprise Information Management 22, 548–563 (2009)
95. Thomson, K.-L., Solms, R. von, Louw, L.: Cultivating an organizational information security
culture. Computer Fraud & Security 2006, 7–11 (2006)
96. Ruighaver, A.B., Maynard, S.B.: Organizational Security Culture: More Than Just an End-User
Phenomenon. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.) Security
and Privacy in Dynamic Environments, pp. 425–430. Springer US, Boston, MA (2006)
97. Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.: Future
directions for behavioral information security research. Computers & Security 32, 90–101 (2013)
98. Zakaria, O.: Understanding Challenges of Information Security Culture: A Methodological Issue.
In: AISM, pp. 83–93 (2004)
99. Solms, R. von, Solms, B. von: From policies to culture. Computers & Security 23, 275–279
(2004)
100. Schlienger, T., Teufel, S.: Information security culture-from analysis to change. South African
Computer Journal 2003, 46–52 (2003)
101. Ramachandran, S., Rao, S.V., Goles, T.: Information Security Cultures of Four Professions: A
Comparative Study. In: Proceedings of the 41st Annual Hawaii International Conference on
System Sciences (HICSS 2008), p. 454. IEEE (2008 - 2008)
102. Okere, I., van Niekerk, J., Carroll, M.: Assessing information security culture: A critical analysis
of current approaches. In: 2012 Information Security for South Africa, pp. 1–8 (2012)
103. Martins, A., Eloff, J.: Assessing Information Security Culture. In: ISSA, pp. 1–14 (2002)
77
�