Reviewing the Interrelation Between Information Security and Culture: Toward an Agenda for Future Research Sebastian Hengstler1, Natalya Pryazhnykova1 1 Chair of Information Security and Compliance, University of Goettingen, Germany s.hengstler@stud.uni-goettingen.de, pryazhnykova@gmail.com Abstract. The main goal of this paper is to provide a review of existing research on the interrelationships between information security and culture. The results of this study are based on a structured literature review of current research on the interrelationships between information security and culture, published between 2000 and 2020 (September). Our results show that current research has focused on four core themes: (1) the influence of culture on information security policy compliance behavior, (2) information security culture in organizations, (3) the influence of culture on information security awareness programs and (4) the effect of culture on information security governance. Our results show, that so far, the mentioned topics have been investigated from different perspectives. However, our results offer potential for future research, e.g. in the connections between information security and individual cultural values or in the area of information security awareness. Keywords: Information Security and Culture, Literature Review, Information Security 1 Introduction Information security represents a field of increasing scholarly interest from a practical and theoretical perspective and includes various critical dimensions, which need to be considered to ensure a high level of information security e.g. in organizations [1]. Important mechanisms to guarantee information security are technical measures, such as firewalls, to protect networks or various authorization measures for hardware protection [2]. However, it is a well-known fact that attacks on information security systems in private or professional usage start at the weakest point which is failure caused by an individual [3]. This is the reason, why measures to ensure compliant behavior of employees in various organizations are becoming increasingly crucial [4]. Existing studies analyze a variety of mechanisms that influence the compliance behavior of employees, such as the social environment of an individual, the use of informal and formal sanctions to ensure compliance or the use of threat and coping 16th International Conference on Wirtschaftsinformatik, March 2021, Essen, Germany Copyright © 2021 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). 52 appraisals [1]. Furthermore, existing research presents, that contextual differences are an essential factor to consider, when designing information security measures to achieve compliance behavior [5]. Besides the distinction between different types of information security breaches, culture is an important contextual component of current information security research [6]. Over the last two decades, culture has been analyzed from different angles in the context of information security and there are different approaches in research, which aim to explain how these two aspects relate. The results of existing literature reviews in the field of information security and culture show a variety of different outcomes. Mahfuth et al. (2017) analyzed existing research regarding information security, organizational culture and the relation of these two fields. [7]. Karlsson and Åström (2015) provide an overview of the research in the area of information security culture [6]. Hina and Dominic (2020) identify information security and culture as current trending topic in information security research [8]. In summary, there are recent approaches, which analyze the interrelations between information security and culture from different perspectives. However, we believe that a comprehensive overview that represents the different perspectives and top themes of information security culture research is still missing, but can help to provide a more complete view on the relation of culture and information security [9]. The aim of this paper is to summarize existing research about information security and culture in order to increase the understanding of the influence of culture and its relevance to information security. The scope of this paper is to identify the current research themes in this field, and to provide further directions for future research. In our analysis, we build on existing cultural concepts to identify interrelations between culture and information security research. We used the approach of Leidner and Kayworth (2006) to analyze the interrelations between culture and information security, in combination with the process for a structured literature analysis of Webster and Watson (2002) [9, 10]. With our research, we aim to contribute to current literature in providing a comprehensive view on the current state of the interrelation between information security and culture research. Our study provides an overview not only about analyzed cultural levels and artefacts, but also used research approaches (methods and theories). In addition to that, we identified overlapping and less analyzed aspects in existing research. We identified both major and minor gaps in the literature and provided implications for further research. This study is structured as follows. In section 2, we defined the relevant concepts of culture we used in our literature analysis. In section 3, the literature analysis process is explained. We described outcomes of this paper and defined focus themes in information security and culture research in section 4. An overview about potential future research is presented in section 5. The paper concludes in section 6. 53 2 The Concept of Culture In other research areas such as Social Studies or Psychology, culture is understood as a summary of ideologies, beliefs, basic assumptions, shared norms and values, that have an influence on the collective will [11, 12]. Other approaches analyze the construct of culture from a different perspective and focus on individual cultural dimensions, which describe the individual components of culture [13]. Schein's (1997) three-level model of culture shows a model to explain culture within organizations [14]. Due to these differences and the fact, that the concept of culture is characterized by its many meanings and possible interpretations, it is rather challenging to define an overall definition of the concept of culture [15]. The first modern interpretation was made by Edward Tylor, who described culture as the collection of all skills and habits such as knowledge, beliefs or laws, which are shaped by society [16]. Hofstede specified the shaping of behavior by society and defined culture as a collective coding of the mind by which the members of a group distinguish themselves from the members of other groups [12]. Because of the fact that culture includes all rules, norms and the code of conduct of a collective, it has an influence on the behavior of the individuals of a group and is consequently controlling behavior [17]. In the area of information systems, the extent to which these are related to the topic of culture was also investigated. Leidner and Kayworth (2006), for example, analyzed different approaches in the area of information systems and culture in terms of their underlying theoretical cultural artifacts. They pointed out, that a relation between information systems and these cultural artefacts can occur on several levels of culture. Examples of this are a connection in the context of IT culture, the IT adoption process and cultural dependencies in IT management. In their analysis they distinguish between the national, organizational, and individual levels of analysis and name several cultural artefacts, which are used in research to analyze the interrelation between culture and information systems [9]. The national unit of analysis is described as the analysis of cultural orientation, based on a samples nationality, where different countries are chosen as the object of the study [12]. At the organizational level, studies analyze cultural differences in different organizational units, e.g. in different companies [14]. The analysis of smaller groups or individuals describes the study of individual behavior or within social groups [18]. As a subdiscipline of information systems research, we can relate these findings to current topics in information security research [6, 7]. For example, topics such as security culture, compliance behavior or security management can also be identified in the security domain, which show similarities to existing information systems research in other research streams. To make the results of our analysis comparable to existing research, we adapt Leidner and Kayworth's (2006) approach and analyze the identified literature, based on used cultural artifacts and their level of analysis [9]. 54 3 Literature Analysis Process For the literature analysis we adapt the methodological approach established in the field of information systems research according to Webster and Watson (2002) [10], which provides a solution for the systematic identification and analysis of relevant literature. The following plan was used for the consistent implementation of the methodological approach in our literature analysis. Firstly, the subject area was defined and our target group for our research was specified. At this point, our intention was to determine the current state of the research about the influence of culture on information security. Therefore, we concentrated on research outcomes, that shed light on the connection between these two topics. The scope of our literature review is to identify central topics in the interrelation of these research areas. We address mainly specialized scholars analyzing the effect of culture on information security or scholars interested in cross- cultural research in the field of information security. Secondly, we conceptualized the core elements that will be used for the systematic categorization of identified literature. In order to classify and analyze the identified literature with respect to our research purpose, we have transferred the common characteristics of this research area from existing literature reviews, namely the methodological approach, cultural level of analysis, underlying theories and considered cultural artefacts, and used them in the form of a concept matrix for the analysis of our identified literature [9, 12, 13].Thirdly, we specified characteristics, which we wanted to analyze, the databases selection and the definition of our search terms. Since research in the field of information security and culture is published in conference proceedings as well as in international journals, we used different databases. The databases EbscoHost, Aisel and AbiInform were used to obtain a broad coverage of both international journals and conference proceedings in our research area. Forward and backward search was conducted with the database Web-of-Science. Generally, publications in relevant journals and conferences of information security research were considered in our analysis. Publications from other disciplines in our research area were also included if they were of high relevance (e.g. high citation rate). We followed the orientation of Karlsson and Åström (2015) and considered literature published since 2000 [6]. In order to identify potentially relevant literature, we analyzed the keywords, the abstract and the title of the respective studies. The use of the search queries in the different databases resulted in a list of 461 publications, including duplicates. After deleting duplicates and articles with incorrect content that were not in the focus of our analysis, we received a list of 103 articles to be analyzed. 53 of these articles were identified in the initial search, 37 in the forward search and 13 in the backward search. In total, 58 articles where published in information systems or computer science journals and 45 articles on related conferences. A list of our search terms and constructs used to classify the results is shown in Table 1. 55 Table 1. Search terms and analyzed concepts. Search Terms Analyzed Concepts Information security culture Theories Information security AND culture Cultural Dimensions Information security AND organizational culture Used Methodical Approach Information security AND national culture Cultural Level of Analysis (National, Information security AND information security culture Organizational, Individual/Subunit) In a fourth step, we analyzed the identified literature according to the identified characteristics. We considered articles published between 2000 and 2020 (September). An Overview about the considered articles per journal/conference is shown in table 2. Table 2. Identified articles by journal and conference Journal Title Amount Organizational behavior Computers & Security 1 Information Systems Management 2 Information Management & Computer Security 9 Computers in Human Behavior 2 Information & Management 2 Computers & Security 15 Information and Computer Security 6 Information Systems Journal 2 Communications of the Association for Information Systems 2 Southern African Business Review 1 Computer Fraud Security 2 Journal of Theoretical and Applied Information Technology 1 South African Computer Journal 1 Journal of Enterprise Information Management 1 Electronic Markets 1 Journal of Global Information Management 1 Decision Sciences 1 MIS Quarterly 2 Journal of Computer Information Systems 1 Journal of Database Management 1 Information Technology and Management 1 Journal of Global Information Technology Management 1 56 Conference Title Amount International Conference on Research and Innovation in Information Systems 1 (ICRIIS) Pacific Asia Conference on Information Systems (PACIS) 5 American Conference on Information Systems (AMCIS) 6 European Conference on Information Systems (ECIS) 4 International Conference on Information Systems (ICIS) 1 Human Aspects of Information Security & Assurance (HAISA) 2 International Social Security Association (ISSA) 3 International Conference on Information Security and Cryptology (ICISC) 3 IEEE World Congress On Computer Applications and Information Systems (WCCAIS) 1 Australian Information Security Management Conference (AISM) 6 International Carnahan Conference on Security Technology (ICCST) 1 Conference on Information Security for South Africa (ISSA) 1 Hawaii International Conference on System Sciences (HICSS) 1 Wireless Internet Service Providers Conference (WISP) 4 International Information Management Association Conference (IIMA) 1 Mediterranean Conference on Information Systems (MCIS) 1 International Conference for Internet Technology and Secured Transactions (ICITS) 1 Workshop on Governance of Technology, Information and Policies 1 European Conference on Information Warfare and Security (ECIW) 1 International Conference on Availability, Reliability and Security 1 Finally, the identified topics of existing literature were discussed, and current trends and further research potential were presented. We describe the last two steps in the following chapters. 4 Results A total of 103 articles were analyzed in this literature review. Among them, 28 articles examined culture at the national level in the context of information security and 63 examined culture at the organizational level. There were 8 studies that examined culture at the individual/subunit level in the context of information security. Over 71% of the studies on the national cultural level used Hofstede's culture dimensions [12]. The organizational level studies often do not use explicit cultural artifacts (68%). The most represented cultural artifact at the organizational level is Schein's (1992) model of organizational culture (12%) [14]. No explicit cultural artifacts were studied on the individual/subunit cultural level. Additionally, we categorized the articles by their 57 scientific approach. Overall, there are two trends which were identified for the methodological approaches. 23% of the articles rely on conceptual frameworks. 32% of the identified articles used a questionnaire-based, quantitative methodological approach. Other methodological approaches are less represented. In terms of used theories, many articles have a more theory generating nature and do not use an existing theory (66%) for their studies. The types of theories do not indicate a focus. Furthermore, we were able to identify overall focus themes within the analyzed articles dealing with the interrelations between information security and culture: (1) the influence of culture on information security policy compliance behavior, (2) information security culture in organizations, (3) the influence of culture on information security awareness programs and (4) the effect of culture on information security governance. We were not able to assign three identified articles to the mentioned articles and did not consider them in more detail. The following chapters describe the identified focus topics in more detail. A list of the identified and characterized literature, based on our observed concepts of theories, methods, cultural artifacts, and cultural level of analysis is listed in the appendix (Tables 4-7). 4.1 The Influence of Culture on Information Security Policy Compliance Behavior A total of 30 papers dealt with the influence of culture on information security policy compliance behavior. 18 of these studies focused on the national cultural level, 11 on the organizational cultural level, and one on the individual/subunit cultural level. The majority of the articles used a questionnaire-based, quantitative approach (18), whereas 7 articles chose a qualitative approach. Meta-analyses (1), commentaries (2) typologies (1), case studies (2), and mixed method approaches (1) are less represented. Most articles do not explicit use a theory and are more theory generating in nature (11). The most frequently used theories are the theory of planned behavior (3) and the deterrence theory (4). Other theories are represented sporadically. At the national cultural level, 13 of 18 articles used Hofstede's cultural dimensions as cultural artifacts [12]. At the organizational level, hardly any culture artifacts have been used. The topic “influence of culture on information security policy compliance behavior includes articles that primarily focus on the analysis of cultural differences regarding information security compliance behavior of employees. There is only one study, which considers individual cultural values when analyzing information security compliance behavior with respect to cultural differences. On a national cultural level, the research focus lies in the analysis of the effectiveness of different theoretical mechanisms on compliance behavior along national cultures. In this area, different theories such as deterrence theory or the theory of planned behavior are analyzed [19–21]. The focus is mainly on the analysis of 7 different cultures and does not show a big variety [22]. On the organizational culture level, research in this topic area focuses on organizational concepts that positively influence information security behavior and thereby contribute to a positive security culture in organizations. For example, knowledge sharing [23], discipline and agility [24], and morale within an organization are examined in terms of their positive impact on behavior [25]. 58 4.2 Information Security Culture in Organizations A total amount of 39 papers have dealt with information security culture in organizations. 32 studies focused on the organizational cultural level, 6 on the individual/subunit cultural level, and one study on a national cultural level. Predominantly, conceptual frameworks were developed within the articles (14). There is also a focus on conducting literature reviews (5), qualitative studies and case studies (5), and questionnaire-based quantitative studies (7). Most articles do not use explicit theory and are more theory generating in nature (34). At the organizational cultural level, Schein's (1992) organizational behavior theory was frequently used (7) [14]. Most articles do not mention explicitly cultural artifacts (26). The theme “information security culture in organizations” includes articles, focusing on concepts and influencing factors of an information security culture within organizations, namely conceptualization of cultural models, their validation and the analysis of factors influencing a security culture and their effects. At the individual or subunit level, the crucial point lies in identifying different cultural subgroups within an organization, e.g. through different professional backgrounds [26, 27]. Another aspect of an information security culture is the analysis of influencing factors on such cultural subgroups [28, 29]. On an organizational cultural level, some articles focus on the analysis of illusory concepts of an organizational culture and their application in the information security culture domain [30–32]. Another core issue is the analysis of factors that influence an information security culture [33–35]. Furthermore, similarities between the traditional view of organizational cultures and an information security culture are in focus of current research as well [36, 37]. Other articles concentrate on the managerial impact on information security culture, such as the role of CISO's [38] or managerial guidelines to lead in a security culture [31]. 4.3 The Influence of Culture on Information Security Awareness Programs The influence of culture on information security awareness (ISA) programs was covered by a total of 8 articles. There were two studies with a focus on organizational cultural level, one study on the individual/subunit cultural level and five studies on national cultural level. Predominantly, mostly questionnaire-based, quantitative studies were carried out (5). Two articles conducted an experiment for their study and one article used a qualitative approach. A total of four studies chose Hofstede's culture dimensions as culture artifacts [12]. Other cultural artifacts, such as the organizational behavior theory [14] and aspects from the competing value framework were used as well [39]. In the context of this topic, different ways of approaching information security and culture were identified. On the one hand, correlations between information security awareness measures and the security culture of an organization are analyzed. The authors show that the security culture can have an influence on the individual awareness behavior of employees [40]. On the other hand, there are studies which investigate the influence of different organizational factors on ISA from different cultural perspectives. This includes the analysis of the impact of factors, such as 59 security culture or competing values on the awareness of employees [41]. At the national cultural level, studies have been mainly conducted with the purpose to analyze the effectiveness of theoretical mechanisms, such as social norms and attitude values [41] or fear appeals [42] on information security awareness in different countries. 4.4 The Effect of Culture on Information Security Governance The effect of culture on information security governance was analyzed by a total of 21 articles. There were 17 studies with a focus on organizational cultural level and 4 studies on national cultural level. Most of the analyzed studies focused on qualitative research approaches (5) and case studies (6). Most articles did not explicit outline mentioned theoretical approach or specific used cultural artefacts. National cultural level studies in this theme focus on analyzing national cultural values on the effectiveness of security measures [43] and what national-level factors need to be considered while implementing them [44]. Other studies at the national level analyze the influence of national culture on corporate structure [45] and information security risk management [46]. At the organizational level of analysis, several focus themes can be identified. On the one hand, current research is concerned with the relationship between culture and information security management. This includes the analysis of what effect management behavior can have on information security and its culture in the organization [47, 48] and the influence of culture on information security management itself [49]. Another element is the description of governance structures and their constituents for information security, considering cultural factors. This consists of the influence of culture on organizational structures, the implementation of information security measures [50] and the differences within these structures in different organizations [51]. Closely related are articles dealing with the design of information security policies, predominantly with the consideration of cultural differences [8, 52]. Another subtopic regarding the effect of culture on information security governance are Assessments. Articles describe not only the design and validation of assessment tools for information security culture, but also the implementation of monitoring methods for information security in a cross-cultural context [53, 54]. 5 Directions for Future Research Our study examined the current focus of analyses regarding the interrelation of culture and information security. In our literature review, we identified 103 relevant articles and were able to identify four focus themes concerning the interrelation between culture and information security. According to the outcomes of this study, the potential for further research can be identified. Within the topic “the influence of culture on information security policy compliance behavior” there is a strong focus regarding the national cultural level of analysis and the testing of the effectiveness of various theories in respect of different national cultures. The focus lies mainly in theories established in security research, such as 60 deterrence theory or the theory of planned behavior. Additionally, the individual characteristics of the culture of individual employees have not yet been taken into account. Future research in the field of the relation of culture and information security behavior should include: (1) The investigation of further theoretical mechanisms and their cultural dependency regarding information security behavior, such as theories explaining the shaping process of behavior by social factors [6]. (2) A focus on the influence of individual manifestations of cultural artifacts on behavior, in order not to make assumptions about dependencies between culture and individual behavior based on only national cultural values [55]. The topic of information security culture in organizations includes articles about the structure of a security culture within organizations and its influencing factors. Research in this area could benefit from an increased use of established organizational culture theories or culture artifacts not only to validate the already developed information security culture frameworks but also to draw parallels to organizational culture [35]. Furthermore, previous studies have predominantly focused on looking at the whole organization and its security culture. Differences in individual sub-units, such as different professions or demographic or geographic factors are poorly represented The focus of future research in this area should therefore provide: (1) A validation of the previously developed frameworks in the security culture environment, taking into account established cultural artifacts in the organizational culture domain. (2) A more specific investigation of security culture in different sub-units of organizations and their factors influencing each other [26]. The theme about the influence of culture on information security awareness programs has been poorly established in current research, with only 8 articles published Overall, it is visible that the relationships between cultural artifacts and ISA have been lack of analysis. On a national cultural level, it is evident, that culture has an influence on ISA. Rather a few studies exist in connection with organizational factors, culture and ISA, as well as the influence of individual cultural values on ISA. Accordingly, our proposal for future research in this area broadly determined. We suggest that future research on the relationship between culture and ISA should focus on: (1) The interrelationships of culture at the national, organizational, and individual/subunit levels with ISA, taking into account established ISA approaches, in order to provide more insights into the interrelationships of these two aspects [40]. Articles examining the effect of culture on information security governance are characterized by the study of factors influencing culture on governance structures or structures of the organization itself. Likewise, a relatively large number of articles on the influence of culture on information security management can be identified. What has been less considered so far is the conceptualization and review of methods and tools for reviewing security measures under consideration of cultural differences in order to build an international, cross-cultural monitoring of the effectiveness of security measures [50]. Consequently, we suggest that future research focus on the relationship between cultural artifacts and the conceptualization and review of assessment and monitoring approaches. Our results are summarized in table 3. 61 Table 3. Research agenda. Theme We need to… Limitations to Overcome The Influence (1) Further investigate theoretical (1) A focus on quantitative of Culture on mechanisms and their cultural dependency studies Information regarding information security behavior. (2) The consideration of cultural Security Policy artefacts in studies about (2) Analyze the influence of individual Compliance information security behavior cultural values on behavior. Behavior and their relation to culture Information (1) Validate previously developed (1) Limitations of conceptual Security frameworks in the security culture Frameworks Culture in environment, taking into account (2) The distinction between Organizations established cultural artifacts. different types of organizations (2) Investigate security culture in different sub-units of organizations and their factors influencing each other. The Influence (1) Analyze the interrelationships of (1) A focus on national cultural of Culture on culture at the national, organizational, and values Information individual/subunit levels (2) A focus on quantitative Security (2) Go beyond quantitative approaches studies Awareness and use a greater variety of qualitative and Programs quantitative approaches. The Effect of (1) Further analyze the relationship (1) The lack of theoretical Culture on between cultural artifacts and the approaches in this research Information conceptualization and review of stream Security assessment and monitoring approaches. (2) A focus on national cultural Governance (2) Measure culture not only on values organizational, but individual level to better understand the individual effect of culture on governance structures. 6 Conclusion The purpose of this study was to analyze current research on the relationships between information security and culture. Our study focuses on the interrelationships between information security and culture and thus represents an extension to existing literature reviews in the security context. By applying a structural framework, it provides an overview of the current state of research and its core topics, as well as existing research gaps. Based on the literature we identified, we were able to identify open points in the identified core topics and highlight potential for future research. Overall, limitations 62 remain to be identified in the context of our study. Our findings are limited to the selected areas of outlets and keywords that we considered in our search for relevant literature. Future research in specific research areas, will need to be further elaborated to include a wider scope of other, IS conferences, and journals potentially relevant to the specific case. References 1. Moody, G.D., Siponen, M., Pahnila, S.: Toward a Unified Model of Information Security Policy Compliance. MIS Quarterly 42, 285–311 (2018) 2. D’Arcy, J., Hovav, A.: Does One Size Fit All? Examining the Differential Effects of IS Security Countermeasures. Journal of Business Ethics 89, 59–71 (2009) 3. Siponen, M., Vance, A.: Neutralization: New Insights into the Problem of Employee Information Systems Security Policy Violations. MIS Quarterly 34, 487 (2010) 4. Puhakainen, P., Siponen, M.: Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study. MIS Quarterly 34, 757 (2010) 5. Aurigemma, S., Mattson, T.: Generally Speaking, Context Matters: Making the Case for a Change from Universal to Particular ISP Research. Journal of the Association for Information Systems (2019) 6. Karlsson, F., Åström, J., Karlsson, M.: Information security culture – state-of-the-art review between 2000 and 2013. Info and Computer Security 23, 246–285 (2015) 7. Mahfuth, A., Yussof, S., Baker, A.A., Ali, N.'a.: A systematic literature review: Information security culture. In: Social transformation through data science. ICRIIS 2017 : 5th International Conference on Research and Innovation in Information Systems : Adya Hotel, Langkawi, Kedah, 16-17th July 2017, pp. 1–6. IEEE, Piscataway, NJ (2017) 8. Hina, S., Dominic, P.D.D.: Information security policies’ compliance: a perspective for higher education institutions. Journal of Computer Information Systems 60, 201–211 (2020) 9. Leidner, D.F., Kayworth, T.: Review: a review of culture in information systems research: toward a theory of information technology culture conflict. MIS Quarterly 30 (2006) 10. Jane Webster, Richard T. Watson: Analyzing the Past to Prepare for the Future: Writing a Literature Review. MIS Quarterly 26 (2002) 11. Straub, D., Loch, K., Evaristo, R., Karahanna, E., Srite, M.: Toward a Theory-Based Measurement of Culture. Journal of Global Information Management 10, 13–23 (2002) 12. Hofstede, G.: Culture's consequences. Comparing values, behaviors, institutions, and organizations across nations. Sage Publ, Thousand Oaks, Calif. (2011) 13. Nonaka, I.: A Dynamic Theory of Organizational Knowledge Creation. Organization Science 5, 14–37 (1994) 14. Schein, E.H.: Organizational culture and leadership. Jossey-Bass, San Francisco (1997) 15. Sabel, N., Rietz, S.: Interkulturelle Kompetenz: Einfluss der Kultur auf das internationale Management. Einfluss der Kultur auf das internationale Management. Diplomica Verlag GmbH, Hamburg (2010) 16. Tylor, E.B.: Primitive culture. Researches into the development of mythology, philosophy, religion, art, and custom. Cambridge Univ. Press, Cambridge (2010) 63 17. Keller, E. von: Die kulturvergleichende Managementforschung. Gegenstand, Ziele, Methoden, Ergebnisse und Erkenntnisprobleme einer Forschungsrichtung. Haupt, Bern (1982) 18. Karahanna, E., Evaristo, J.R., Srite, M.: Levels of Culture and Individual Behavior. Journal of Global Information Management 13, 1–20 (2005) 19. Dinev, T., Goo, J., Hu, Q., Nam, K.: User behaviour towards protective information technologies: the role of national cultural differences. Info Systems J 19, 391–412 (2009) 20. Hovav, A., D’Arcy, J.: Applying an extended model of deterrence across cultures: An investigation of information systems misuse in the U.S. and South Korea. Information & Management 49, 99–110 (2012) 21. Hovav, A., D’Arcy, J., Lee, K.: A Cross-Cultural Analysis of Security Countermeasure Effectiveness. In: WISP 2007 (2007) 22. Cram, W.A., D'Arcy, J., Proudfoot, J.G.: Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance. MISQ 43, 525–554 (2019) 23. Rocha Flores, W., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers & Security 43, 90–110 (2014) 24. AlKalbani, A., Deng, H., Kam, B.: Organisational Security Culture and Information Security Compliance for E-Government Development: The Moderating Effect of Social Pressure. In: PACIS, p. 65 (2015) 25. Amankwa, E., Loock, M., Kritzinger, E.: Establishing information security policy compliance culture in organizations. Info and Computer Security 26, 420–436 (2018) 26. Ramachandran, S., Rao, C., Goles, T., Dhillon, G.: Variations in Information Security Cultures across Professions: A Qualitative Study. CAIS 33 (2013) 27. Ramachandran, S., Rao, S.V., Goles, T.: Information Security Cultures of Four Professions: A Comparative Study. In: Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008), p. 454. IEEE (2008 - 2008) 28. van Niekerk, J., Solms, R. von: A holistic framework for the fostering of an information security sub-culture in organizations. In: Issa, 1 (2005) 29. da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and subcultures. Computers & Security 70, 72–94 (2017) 30. Nel, F., Drevin, L.: Key elements of an information security culture in organisations. Info and Computer Security 27, 146–164 (2019) 31. van Niekerk, J.F., Solms, R. von: Information security culture: A management perspective. Computers & Security 29, 476–486 (2010) 32. Williams, P.A.: What Does Security Culture Look Like For Small Organizations? Security Research Institute (SRI), Edith Cowan University (2009) 33. Al Natheer, M., Chan, T., Nelson, K.: Understanding and measuring information security culture (2012) 34. Dojkovski, S., Lichtenstein, S., Warren, M.J.: Fostering information security culture in small and medium size enterprises: an interpretive study in Australia (2007) 35. Dhillon, G., Syed, R., Pedron, C.: Interpreting information security culture: An organizational transformation case study. Computers & Security 56, 63–69 (2016) 36. Ruighaver, A.B., Maynard, S.B., Chang, S.: Organisational security culture: Extending the end-user perspective. Computers & Security 26, 56–62 (2007) 64 37. Ruighaver, A.B., Maynard, S.B.: Organizational Security Culture: More Than Just an End- User Phenomenon. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.) Security and Privacy in Dynamic Environments, pp. 425–430. Springer US, Boston, MA (2006) 38. Ashenden, D., Sasse, A.: CISOs and organisational culture: Their own worst enemy? Computers & Security 39, 396–405 (2013) 39. Cameron, K., Quinn, R., DeGraff, J., Thakor, A.: Competing Values Leadership. Edward Elgar Publishing (2006) 40. Wiley, A., McCormac, A., Calic, D.: More than the individual: Examining the relationship between culture and Information Security Awareness. Computers & Security 88, 101640 (2020) 41. Lin, H.-C.: An investigation of the effects of cultural differences on physicians’ perceptions of information technology acceptance as they relate to knowledge management systems. Computers in Human Behavior 38, 368–380 (2014) 42. M. Karjalainen, M. Siponen, Petri Puhakainen, S. Sarker: One Size Does Not Fit All: Different Cultures Require Different Information Systems Security Interventions. In: PACIS (2013) 43. D'Arcy, J., Hovav, A., Galletta, D.: User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach. Information Systems Research 20, 79–98 (2009) 44. Shaaban, H., Conrad, M.: Democracy, culture and information security: a case study in Zanzibar. Info Mngmnt & Comp Security 21, 191–201 (2013) 45. Ali, M., Brooks, L.: A situated cultural approach for cross‐cultural studies in IS. Journal of Enterprise Information Management 22, 548–563 (2009) 46. Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Formulating information systems risk management strategies through cultural theory. Info Mngmnt & Comp Security 14, 198–217 (2006) 47. Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture*. Decision Sciences 43, 615–660 (2012) 48. Knapp, K.J., Marshall, T.E., Kelly Rainer, R., Nelson Ford, F.: Information security: management's effect on culture and policy. Info Mngmnt & Comp Security 14, 24–36 (2006) 49. Werlinger, R., Hawkey, K., Beznosov, K.: An integrated view of human, organizational, and technological challenges of IT security management. Info Mngmnt & Comp Security 17, 4–19 (2009) 50. Da Veiga, A., Eloff, J.H.P.: A framework and assessment instrument for information security culture. Computers & Security 29, 196–207 (2010) 51. Dojkovski, S., Lichtenstein, S., Warren, M.: Developing information security culture in small and medium size enterprises: Australian case studies. In: ECIW2008-7th European Conference on Information Warfare and Security: ECIW2008. Reading: Academic Conferences Limited, pp. 55–66 (2008) 52. Lapke, M.: Power Relationships in Information Systems Security Policy Formulation and Implementation (2008) 65 53. Da Veiga, A.: The Influence of Information Security Policies on Information Security Culture: Illustrated through a Case Study. In: HAISA, pp. 22–33 (2015) 54. Johnsen, S.O., Hansen, C.W., Nordby, Y., Dahl, M.B.: Measurement and Improvement of Information Security Culture. Measurement and Control 39, 52–56 (2006) 55. Yoo, B., Donthu, N., Lenartowicz, T.: Measuring Hofstede’s five dimensions of cultural values at the individual level: Development and validation of CVSCALE. Journal of international consumer marketing 23, 193–210 (2011) 66 Appendix A: Analyzed Articles Table 4. Concept matrix: The influence of culture on information security policy compliance behavior. Note: NA = Not Applicable The Influence of Culture on Information Security Policy Compliance Behavior Paper Level of Method Theory Cultural Artefact Analysis (Hovav and National Survey Deterrence Hofstedes Cultural D'Arcy, 2012) Theory Dimensions (Yayla, 2011) National Survey Institutional Hofstedes Cultural Theory Dimensions (Arage et al. National Survey Rational Choice NA 2015) Theory (Connolly et al. National Qualitative NA Hofstedes Cultural 2019) Dimensions (Flores et al. Organizational Mixed Method NA NA 2014) (Harris et al. National Survey NA Hofstedes Cultural 2010) Dimensions (Flores et al. National Survey Theory of Hofstedes Cultural 2015) planned bevahior Dimensions (AlKalbani et al. Organizational Survey Technology- NA 2015) organization- environment (TOE) Theory (Dan and Organizational Case Study Theory of NA Lindström, 2011) (Typology) organizational behaviour (Menard et al. Organizational Survey Protection Hostedes Cultural 2018) Motivation Dimensions Theory (Vroom and Von Organizational Conceptual NA NA Solms, 2004) Framework (Dinev et al. National Survey Theory of Hofstedes Cultural 2009a) planned behavior Dimensions (Da Veiga, 2015) Organizational Case Study NA NA (Quantitative) (Crossler et al. NA Comment NA NA 2013) (Cockroft and National Survey NA Hofstedes Cultural Rekker, 2016) Dimensions (Connolly et al. Organizational Qualitative Deterrence NA 2017) Theory 67 (Dols and National Survey NA Hofstedes Cultural Silvius, 2010) Dimensions (Warkentin et al. National Survey Deterrence Hofstedes Cultural 2012) Theory Dimensions (Khaled and Organizational Framework NA NA Lane, 2008) (Hwee-Joo Kam National Comment Neo Institutional Hofstedes Cultural et al. 2014) Theory Dimensions (Hwee-Joo Kam National Survey Organizational Cross-Cultural et al. 2015) Norm Theory Framework (CVF) (Arage et al. National Survey Rational Choice Hofstedes Cultural 2016) Theory Dimensions (Chen et al. National Survey Protection Hofstedes Cultural 2016) motivation theory Dimensions (Vance et al. National Survey Deterrence, Hofstedes Cultural 2020) Moral Beliefs, Dimensions Neutralization (Lin et al. 2020) National Qualitative NA Organizational behavior theory (Schein) (Cram et al. National Meta-Analysis NA NA 2020) ISCA (Da Veiga, 2016) Individual Survey questionnaire NA (Karjalainen et Hofstedes Cultural al. 2020) National Qualitative NA Dimensions (Amankwa et al. Involvement Organizational behavior 2018) Organizational Survey theory theory (Schein) (Dinev et al. Theory of Hofstedes Cultural 2009b) National Survey planned behavior Dimensions (Alfawaz et al. Case Study Classification 2010 Organizational (Qualitative) Theory NA Table 5. Concept matrix: Information security culture in organizations. Note: NA = Not Applicable Information Security Culture in Organizations Paper Level of Method Theory Cultural Artefact Analysis (Da Veiga and Organizational Conceptual NA NA Eloff, 2010) Framework (Amjad et al. 2017) Organizational Literature NA NA Review (Ashenden and Organizational Qualitative NA NA Sasse, 2013) 68 (Da Veiga and Individual / Survey NA NA Martins, 2017) Subunit (AlHogail, 2015) Organizational Conceptual NA NA Framework (Lim et al. 2010) Organizational Case Study NA NA (Qualitative) (Van Niekerk and Organizational Conceptual NA NA Von Solms, 2010) Framework (Dhillon et al. Organizational Case Study Dimensions of Theory of cultural 2016) (Qualitative) Organizational message streams Culture (Ruighaver et al. Organizational Conceptual Organizational NA 2007) Framework Culture Framework (D'Arcy and Organizational Survey NA NA Greene, 2014) (Kolkowska, 2011) Individual / Case Study NA NA Subunit (Qualitative) (Alnatheer et al. Organizational Survey NA NA 2012) (Lacey, 2010) Organizational Literature NA NA Review (Ramachandran et Individual / Qualitative NA NA al. 2013) Subunit (Dojkovski et al. Organizational Case Study NA NA 2007) (Mixed Method) (Martins and Da Organizational Survey NA NA Veiga , 2015) (Shuchih and Chin- Organizational Conceptual NA NA Shien, 2007) Framework (Van Niekerk and Individual / Conceptual NA NA Von Solms, 2005) Subunit Framework (Van Niekerk and Organizational Conceptual NA Organizational Cultural Von Solms, 2006) Framework Framework (Zakaria, 2006) Individual / Conceptual NA NA Subunit Framework (Alhogail and Organizational Literature NA NA Mirza, 2014) Review (Alhogail and Organizational Literature NA NA Mirza, 2014) Review (Alnatheer and Organizational Conceptual NA NA Nelson, 2009) Framework 69 (Malcolmson, Organizational Qualitative NA NA 2009) (Ramachandran et Individual / Qualitative NA NA al. 2008) Subunit (Schlienger and Organizational Conceptual NA Organizational Cultural Teufel, 2003) Framework Framework (Zakaria, 2004) Organizational Comment NA Organizational Cultural Framework (Ruighaver and Organizational Conceptual NA NA Maynard, 2006) Framework (Thomson et al. Organizational Conceptual NA NA 2006) Framework (Martins and Eloff, Organizational Conceptual NA NA 2002) Framework (Da Veiga et al. Organizational Survey OISCM Model NA 2020) (Nel and Drevin, Organizational Qualitative PMT Organizational Cultural 2019) Framework (Tang et al. 2016) Organizational Case Study NA Hofstedes Cultural Dimensions (Da Veiga, 2018) Organizational Survey ISCA NA Questionnaire (Connolly and Organizational Mixed Method NA NA Lang, 2013) (Lim et al. 2009) Organizational Literature NA Organizational Cultural Review Framework (Ngo et al. 2005) Organizational Conceptual NA NA Framework (Van Niekerk and Organizational Design Science NA Organizational Cultural Von Solms, 2013) Framework (Williams, 2009) Organizational Conceptual NA Organizational Cultural Framework Framework Table 6. Concept matrix: The influence of culture on information security awareness programs Note: NA = Not Applicable The Influence of Culture on Information Security Awareness Programs Paper Level of Method Theory Cultural Artefact Analysis (Lin and Hsien- National Survey Theory of Hofstedes Cultural Cheng, 2014) planned behavior Dimensions (Plachkinova and National Survey NA Hofstedes Cultural Andrés, 2015) Dimensions 70 (Karjalainen et National Conceptual NA NA al. 2013) Framework (Flores et al. Organizational Survey NA NA 2016) (Pienta et al. Organizational Experiment SETA Competing Value 2017) Framework (Cameron & Quinn 2006) (Chen et al. National Experiment NA Hofstedes Cultural 2008) Dimensions (Schmidt et al. National Survey NA NA 2008) (Wiley et al. Individual Survey HAIS-Q Organizational Security 2020) Culture Measure. Table 7. Concept matrix: The effect of culture on information security governance Note: NA = Not Applicable The Effect of Culture on Information Security Governance Paper Level of Method Theory Cultural Artefact Analysis (Da Veiga and Organizational Conceptual NA NA Eloff, 2007) Framework (Werlinger et Organizational Qualitative NA NA al. 2009) (Shaaban and National Mixed Method NA Hofstedes Cultural Dimensions Conrad, 2013) (Tsohou et al. National Conceptual NA NA 2006) Framework (Da Veiga and Organizational Case Study NA NA Martins, 2015) (Quantitative) (Knapp et al. Organizational Mixed Method NA NA 2006) (Da Veiga et al. Organizational Survey NA NA 2007) (Bess, 2009) Organizational Case Study Structuration NA (Qualitative) Theory (Martin and Organizational Conceptual NA NA Eloff, 2002) Framework (Okere et al. Organizational Qualitative NA NA 2012) (Von Solms and Organizational Comment NA Schein (1992) von Solms 2004) 71 (Ali and National Conceptual Structuration Straub 2002 Brooks, 2009) Framework Theory (Hu et al. 2012) Organizational Survey TPB NA (D Arcy et al. National Survey Deterrence Hofstedes Cultural Dimensions 2007) Theory (Lapke and Organizational Case Study NA Circuits of Power (Clegg 2002) Dhillon, 2008) (Qualitative) (Hina et al. Organizational Literature NA NA 2020) Review (Corriss, 2010) Organizational Case Study Broken NA (Qualitative) Window Theory (Dojkovski et Organizational Conceptual NA NA al. 2007) Framework (Ghernaouti et Organizational Case Study NA NA al. 2010) (Qualitative) (Johnsen et al. Organizational Conceptual NA Hudson (2002) 2006) Framework (Luo et al. Organizational Survey NA Hofstedes Cultural Dimensions 2009) Appendix B: Identified Articles 1. Lin, H.-C.: An investigation of the effects of cultural differences on physicians’ perceptions of information technology acceptance as they relate to knowledge management systems. Computers in Human Behavior 38, 368–380 (2014) 2. Werlinger, R., Hawkey, K., Beznosov, K.: An integrated view of human, organizational, and technological challenges of IT security management. Info Mngmnt & Comp Security 17, 4–19 (2009) 3. Veiga, A.D., Eloff, J.H.P.: An Information Security Governance Framework. Information Systems Management 24, 361–372 (2007) 4. Mahfuth, A., Yussof, S., Baker, A.A., Ali, N.'a.: A systematic literature review: Information security culture. In: Social transformation through data science. ICRIIS 2017 : 5th International Conference on Research and Innovation in Information Systems : Adya Hotel, Langkawi, Kedah, 16-17th July 2017, pp. 1–6. IEEE, Piscataway, NJ (2017) 5. Da Veiga, A., Eloff, J.H.P.: A framework and assessment instrument for information security culture. Computers & Security 29, 196–207 (2010) 6. Amankwa, E., Loock, M., Kritzinger, E.: Establishing information security policy compliance culture in organizations. Info and Computer Security 26, 420–436 (2018) 7. J. Malcolmson: What is security culture? Does it differ in content from general organisational culture? In: 43rd Annual 2009 International Carnahan Conference on Security Technology, pp. 361–366 (2009) 72 8. Bess, D.: Understanding information security culture for strategic use: a case study. AMCIS 2009 Proceedings, 219 (2009) 9. Alnatheer, M., Nelson, K.: Proposed framework for understanding information security culture and practices in the Saudi context (2009) 10. AlHogail, A., Mirza, A.: Information security culture: A definition and a literature review. In: 2014 World Congress on Computer Applications and Information Systems (WCCAIS), pp. 1–7. IEEE (2014 - 2014) 11. AlHogail, A., Mirza, A.: A FRAMEWORK OF INFORMATION SECURITY CULTURE CHANGE. Journal of Theoretical & Applied Information Technology 64 (2014) 12. Zakaria, O.: Internalisation of Information Security Culture amongst Employees through Basic Security Knowledge. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.) Security and Privacy in Dynamic Environments, pp. 437–441. Springer US, Boston, MA (2006) 13. van Niekerk, J., Solms, R. von: Understanding Information Security Culture: A Conceptual Framework. In: ISSA, pp. 1–10 (2006) 14. van Niekerk, J., Solms, R. von: A holistic framework for the fostering of an information security sub-culture in organizations. In: Issa, 1 (2005) 15. Ernest Chang, S., Lin, C.‐S.: Exploring organizational culture for information security management. Industr Mngmnt & Data Systems 107, 438–458 (2007) 16. Martins, N., da Veiga, A.: An Information Security Culture Model Validated with Structural Equation Modelling. In: HAISA, pp. 11–21 (2015) 17. Dojkovski, S., Lichtenstein, S., Warren, M.J.: Fostering information security culture in small and medium size enterprises: an interpretive study in Australia (2007) 18. Da Veiga, A.: The Influence of Information Security Policies on Information Security Culture: Illustrated through a Case Study. In: HAISA, pp. 22–33 (2015) 19. Dinev, T., Goo, J., Hu, Q., Nam, K.: User behaviour towards protective information technologies: the role of national cultural differences. Info Systems J 19, 391–412 (2009) 20. Martins, N., Da Veiga, A., Eloff, J.H.P.: Information security culture-validation of an assessment instrument. Southern African Business Review 11, 147–166 (2007) 21. McCoy, S., Galletta, D.F., King, W.R.: Integrating National Culture into IS Research: The Need for Current Individual Level Measures. CAIS 15 (2005) 22. Ramachandran, S., Rao, C., Goles, T., Dhillon, G.: Variations in Information Security Cultures across Professions: A Qualitative Study. CAIS 33 (2013) 23. Dinev, T., Goo, J., Hu, Q., Nam, K.: User behaviour towards protective information technologies: the role of national cultural differences. Info Systems J 19, 391–412 (2009) 24. Lacey, D.: Understanding and transforming organizational security culture. Info Mngmnt & Comp Security 18, 4–13 (2010) 25. Al Natheer, M., Chan, T., Nelson, K.: Understanding and measuring information security culture (2012) 26. Vroom, C., Solms, R. von: Towards information security behavioural compliance. Computers & Security 23, 191–198 (2004) 27. Pienta, D., Pu, W., Purvis, R.: The Impact of Culture on Information Security: Exploring the Tension of Flexibility and Control. In: ICIS 2017 (2017) 28. Menard, P., Warkentin, M., Lowry, P.B.: The impact of collectivism and psychological ownership on protection motivation: A cross-cultural examination. Computers & Security 75, 147–166 (2018) 73 29. Harnesk, D., Lindström, J.: Shaping security behaviour through discipline and agility. Info Mngmnt & Comp Security 19, 262–276 (2011) 30. Rocha Flores, W., Ekstedt, M.: Shaping intention to resist social engineering through transformational leadership, information security culture and awareness. Computers & Security 59, 26–44 (2016) 31. Kolkowska, E.: Security subcultures in an organization-exploring value conflicts. In: ECIS 2011 Proceedings. 243. (2011) 32. D'Arcy, J., Greene, G.: Security culture and the employment relationship as drivers of employees’ security compliance. Info Mngmnt & Comp Security 22, 474–489 (2014) 33. Ruighaver, A.B., Maynard, S.B., Chang, S.: Organisational security culture: Extending the end- user perspective. Computers & Security 26, 56–62 (2007) 34. AlKalbani, A., Deng, H., Kam, B.: Organisational Security Culture and Information Security Compliance for E-Government Development: The Moderating Effect of Social Pressure. In: PACIS, p. 65 (2015) 35. M. Karjalainen, M. Siponen, Petri Puhakainen, S. Sarker: One Size Does Not Fit All: Different Cultures Require Different Information Systems Security Interventions. In: PACIS (2013) 36. Rocha Flores, W., Holm, H., Nohlberg, M., Ekstedt, M.: Investigating personal determinants of phishing and the effect of national culture. Info and Computer Security 23, 178–199 (2015) 37. Dhillon, G., Syed, R., Pedron, C.: Interpreting information security culture: An organizational transformation case study. Computers & Security 56, 63–69 (2016) 38. Harris, A.L., Yates, D., Harris, J.M., Quaresma, R.: Information System Ethical Attitudes: A Cultural Comparison of the United States, Spain, and Portugal. In: AMCIS, p. 234 (2010) 39. Knapp, K.J., Marshall, T.E., Kelly Rainer, R., Nelson Ford, F.: Information security: management's effect on culture and policy. Info Mngmnt & Comp Security 14, 24–36 (2006) 40. Thomson, K.-L., Solms, R. von: Information security obedience: a definition. Computers & Security 24, 69–75 (2005) 41. Rocha Flores, W., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in organizations: Investigating the effect of behavioral information security governance and national culture. Computers & Security 43, 90–110 (2014) 42. van Niekerk, J.F., Solms, R. von: Information security culture: A management perspective. Computers & Security 29, 476–486 (2010) 43. Karlsson, F., Åström, J., Karlsson, M.: Information security culture – state-of-the-art review between 2000 and 2013. Info and Computer Security 23, 246–285 (2015) 44. Connolly, L.Y., Lang, M., Wall, D.S.: Information Security Behavior: A Cross-Cultural Comparison of Irish and US Employees. Information Systems Management 36, 306–322 (2019) 45. Tilahun Muluneh Arage, France Bélanger, Tibebe Beshah: Influence of National Culture on Employees’ Compliance with Information Systems Security (ISS) Policies: Towards ISS Culture in Ethiopian Companies. In: AMCIS (2015) 46. da Veiga, A., Martins, N.: Improving the information security culture through monitoring and implementation actions illustrated through a case study. Computers & Security 49, 162–176 (2015) 47. Plachkinova, Miloslava and Andrés, Steven: Improving Information Security Training: An Intercultural Perspective. In: PACIS 2015 Proceedings 167 (2015) 74 48. Tsohou, A., Karyda, M., Kokolakis, S., Kiountouzis, E.: Formulating information systems risk management strategies through cultural theory. Info Mngmnt & Comp Security 14, 198–217 (2006) 49. Yayla, A.: ENFORCING INFORMATION SECURITY POLICIES THROUGH CULTURAL BOUNDARIES: A MULTINATIONAL COMPANY APPROACH. In: ECIS 2011 Proceedings. 243. (2011) 50. Lim, J.S., Ahmad, A., Chang, S., and Maynard, S.: Embedding Information Security Culture Emerging Concerns and Challenges. In: PACIS 2010 Proceedings. 43. (2010) 51. AlHogail, A.: Design and validation of information security culture framework. Computers in Human Behavior 49, 567–575 (2015) 52. Shaaban, H., Conrad, M.: Democracy, culture and information security: a case study in Zanzibar. Info Mngmnt & Comp Security 21, 191–201 (2013) 53. da Veiga, A., Martins, N.: Defining and identifying dominant information security cultures and subcultures. Computers & Security 70, 72–94 (2017) 54. Ashenden, D., Sasse, A.: CISOs and organisational culture: Their own worst enemy? Computers & Security 39, 396–405 (2013) 55. Arage, T., Belanger, F., Beshah, T.: Influence of National Culture on Employees’ Compliance with Information Systems Security (ISS) Policies: Towards ISS Culture in Ethiopian Companies. In: AMCIS (2015) 56. Williams, P.A.: What Does Security Culture Look Like For Small Organizations? Security Research Institute (SRI), Edith Cowan University (2009) 57. van Niekerk, J., Solms, R. von: A theory based approach to information security culture change. Information (Japan) 16, 3907–3930 (2013) 58. Ngo, L., Zhou, W., Warren, M.: Understanding Transition towards Information Security Culture Change. In: AISM, pp. 67–73 (2005) 59. Luo, X., Warkentin, M., Johnston, A.C.: The impact of national culture on workplace privacy expectations in the context of information security assurance. In: AMCIS 2009, p. 521 (2009) 60. Lim, J.S., Chang, S., Maynard, S., Ahmad, A.: Exploring the Relationship between Organizational Culture and Information Security Culture. Security Research Institute (SRI), Edith Cowan University (2009) 61. Johnsen, S.O., Hansen, C.W., Nordby, Y., Dahl, M.B.: Measurement and Improvement of Information Security Culture. Measurement and Control 39, 52–56 (2006) 62. Ghernouti-Hélie, S., Tashi, I., Simms, D.: A Multi-stage Methodology for Ensuring Appropriate Security Culture and Governance. In: 2010 International Conference on Availability, Reliability and Security, pp. 353–360. IEEE (2010 - 2010) 63. Dojkovski, S., Lichtenstein, S., Warren, M.: Developing information security culture in small and medium size enterprises: Australian case studies. In: ECIW2008-7th European Conference on Information Warfare and Security: ECIW2008. Reading: Academic Conferences Limited, pp. 55–66 (2008) 64. Corriss, L.: Information security governance. In: Bishop, M. (ed.) Proceedings of the 2010 Workshop on Governance of Technology, Information and Policies - GTIP '10, pp. 35–41. ACM Press, New York, New York, USA (2010) 65. Connolly, Lena and Lang, Michael: Information Systems Security: The Role of Cultural Aspects in Organizational Settings. In: WISP 2012 Proceedings. 30. (2012) 75 66. Lena Connolly, M. Lang: Investigation of cultural aspects within information systems security research. 2012 International Conference for Internet Technology and Secured Transactions, 105– 111 (2012) 67. Alfawaz, S., Nelson, K., Mohannak, K.: Information security culture: a behaviour compliance conceptual framework. In: Information Security 2010: AISC’10 Proceedings of the Eighth Australasian Conference on Information Security [Conferences in Research and Practice in Information Technology, Volume 105], pp. 51–60 (2010) 68. Karjalainen, M., Siponen, M., Puhakainen, P., Sarker, S.: Universal and Culture-dependent Employee Compliance of Information Systems Security Procedures. Journal of Global Information Technology Management 23, 5–24 (2020) 69. da Veiga, A.: An approach to information security culture change combining ADKAR and the ISCA questionnaire to aid transition to the desired culture. Info and Computer Security 26, 584– 612 (2018) 70. Tang, M., Li, M.’g., Zhang, T.: The impacts of organizational culture on information security culture: a case study. Inf Technol Manag 17, 179–186 (2016) 71. da Veiga, A.: Comparing the information security culture of employees who had read the information security policy and those who had not. Info and Computer Security 24, 139–151 (2016) 72. Nel, F., Drevin, L.: Key elements of an information security culture in organisations. Info and Computer Security 27, 146–164 (2019) 73. Cram, W.A., D'Arcy, J., Proudfoot, J.G.: Seeing the Forest and the Trees: A Meta-Analysis of the Antecedents to Information Security Policy Compliance. MISQ 43, 525–554 (2019) 74. Lin, C., Kunnathur, A.S., Li, L.: The Cultural Foundation of Information Security Behavior. Journal of Database Management 31, 21–41 (2020) 75. Vance, A., Siponen, M.T., Straub, D.W.: Effects of sanctions, moral beliefs, and neutralization on information security policy violations across cultures. Information & Management 57, 103212 (2020) 76. Hina, S., Dominic, P.D.D.: Information security policies’ compliance: a perspective for higher education institutions. Journal of Computer Information Systems 60, 201–211 (2020) 77. da Veiga, A., Astakhova, L.V., Botha, A., Herselman, M.: Defining organisational information security culture—Perspectives from academia and industry. Computers & Security 92, 101713 (2020) 78. Wiley, A., McCormac, A., Calic, D.: More than the individual: Examining the relationship between culture and Information Security Awareness. Computers & Security 88, 101640 (2020) 79. Chen, Y., Zahedi, F.M.: Individuals' Internet Security Perceptions and Behaviors: Polycontextual Contrasts Between the United States and China. MISQ 40, 205–222 (2016) 80. Arage, T.M., Belanger, F., and Tesema, T.B.: Investigating the Moderating Impact of National Culture in Information Systems Security Policy Violation: The Case of Italy and Ethiopia" (2016). In: MCIS 2016 Proceedings. 56. (2016) 81. Kam, H.-J., Katerattanakul, P., Hong, S.-G.: A Tale of Two Cities: Information Security Policy Compliance of the Banking Industry in the United States and South Korea. University of Münster, Münster, Germany (2015) 82. Hwee-Joo Kam, Pairin Katerattanakul, Soongoo Hong: The Three Musketeers: Impacts of National Culture, Organizational Norms and Institutional Environment on Information Security Policy Compliance. In: WISP 2014 (2014) 76 83. K. Alshare, P. Lane: A Conceptual Model for Explaining Violations of the Information Security Policy (ISP): A Cross Cultural Perspective. In: AMCIS (2008) 84. Lapke, M.: Power Relationships in Information Systems Security Policy Formulation and Implementation (2008) 85. M. Warkentin, Nirmalee Malimage, Kalana Malimage: Impact of Protection Motivation and Deterrence on IS Security Policy Compliance: A Multi-Cultural View. In: WISP 2012 (2012) 86. T. Dols, A. Silvius: Exploring the Influence of National Cultures on Non-Compliance Behavior. Communications of the IIMA 10, 2 (2010) 87. Hovav, A., D’Arcy, J., Lee, K.: A Cross-Cultural Analysis of Security Countermeasure Effectiveness. In: WISP 2007 (2007) 88. Martins, A., Elofe, J.: Information security culture. In: Security in the information society, pp. 203–214. Springer (2002) 89. Hu, Q., Dinev, T., Hart, P., Cooke, D.: Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture*. Decision Sciences 43, 615–660 (2012) 90. Wetzels, Odekerken-Schröder, van Oppen: Using PLS Path Modeling for Assessing Hierarchical Construct Models: Guidelines and Empirical Illustration. MIS Quarterly 33, 177 (2009) 91. Yuryna Connolly, L., Lang, M., Gathegi, J., Tygar, D.J.: Organisational culture, procedural countermeasures, and employee security behaviour. Info and Computer Security 25, 118–136 (2017) 92. Cockcroft, S., Rekker, S.: The relationship between culture and information privacy policy. Electron Markets 26, 55–72 (2016) 93. Chen, C.C., Medlin, B.D., Shaw, R.S.: A cross-cultural investigation of situational information security awareness programs. Info Mngmnt & Comp Security (2008) 94. Ali, M., Brooks, L.: A situated cultural approach for cross‐cultural studies in IS. Journal of Enterprise Information Management 22, 548–563 (2009) 95. Thomson, K.-L., Solms, R. von, Louw, L.: Cultivating an organizational information security culture. Computer Fraud & Security 2006, 7–11 (2006) 96. Ruighaver, A.B., Maynard, S.B.: Organizational Security Culture: More Than Just an End-User Phenomenon. In: Fischer-Hübner, S., Rannenberg, K., Yngström, L., Lindskog, S. (eds.) Security and Privacy in Dynamic Environments, pp. 425–430. Springer US, Boston, MA (2006) 97. Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.: Future directions for behavioral information security research. Computers & Security 32, 90–101 (2013) 98. Zakaria, O.: Understanding Challenges of Information Security Culture: A Methodological Issue. In: AISM, pp. 83–93 (2004) 99. Solms, R. von, Solms, B. von: From policies to culture. Computers & Security 23, 275–279 (2004) 100. Schlienger, T., Teufel, S.: Information security culture-from analysis to change. South African Computer Journal 2003, 46–52 (2003) 101. Ramachandran, S., Rao, S.V., Goles, T.: Information Security Cultures of Four Professions: A Comparative Study. In: Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008), p. 454. IEEE (2008 - 2008) 102. Okere, I., van Niekerk, J., Carroll, M.: Assessing information security culture: A critical analysis of current approaches. In: 2012 Information Security for South Africa, pp. 1–8 (2012) 103. Martins, A., Eloff, J.: Assessing Information Security Culture. In: ISSA, pp. 1–14 (2002) 77