=Paper=
{{Paper
|id=Vol-2966/paper5
|storemode=property
|title=Culture Matters – A Cross Cultural Examination of Information Security Behavior Theories
|pdfUrl=https://ceur-ws.org/Vol-2966/paper5.pdf
|volume=Vol-2966
|authors=Sebastian Hengstler
|dblpUrl=https://dblp.org/rec/conf/wirtschaftsinformatik/Seyffarth21
}}
==Culture Matters – A Cross Cultural Examination of Information Security Behavior Theories==
https://ceur-ws.org/Vol-2966/paper5.pdf
Culture Matters - A Cross Cultural Examination of
Information Security Behavior Theories
Sebastian Hengstler1
1 Chair of Information Security and Compliance, University of Goettingen, Germany
s.hengstler@stud.uni-goettingen.de
Abstract. Ensuring information security is an international problem and poses
particular challenges for international companies. Research proposes various
solutions for ensuring information security based on several theories such as the
deterrence theory or the protection motivation theory. What is currently missing
is a comparison of these theories in an intercultural context to test their
comparability and different effectiveness. In our study, we empirically tested the
theories and determined their comparability with invariance testing and
predictive power between Germany, India and the USA using a SEM approach.
Our results show differences in the effectiveness of the theoretical models across
the three cultures. The results provide initial insights into the use of the theories
in an international context and offer a practical approach to design culture-
specific security measures
Keywords: Information Security Policy Compliance Behavior, Cross-cultural
research, Deterrence Theory, Protection Motivation Theory
1 Introduction
With the increasing relevance of information security for ensuring successful business
in the digital age, the need for effective measures to ensure secure employee behavior
within organizations is growing [1]. As a basis for ensuring security behavior,
companies define information security policies (ISP). ISPs are defined as “a set of
formalized procedures, guidelines, roles and responsibilities to which employees are
required to adhere to safeguard and use properly the information and technology
resources of their organizations [2]”. Research on ISP compliance behavior (ISPCB)
has already been developed a variety of contextualized theories to explain employee
behavior, mainly using theories from other disciplines such as sociology, psychology,
criminology or health care [3]. These approaches provide detailed insights into how
ISPCB can be explained and influenced positively or negatively and helps in practice
to design effective security measures [4].
However, the results of current research still highlight some less considered
problems such as the analysis of cultural differences in ISPCB [5, 6]. This becomes
particularly relevant when internationally operating companies want to define their
security measures and use them in their heterogeneous cultural environment [7].
16th International Conference on Wirtschaftsinformatik,
March 2021, Essen, Germany
Copyright © 2021 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
78
�Existing research partially considers this problem when analyzing ISPCB [3, 8].
Previous research shows, for example, that the effectiveness of established measures to
ensure information security can vary from one national culture to another [7]. Other
culture-related studies analyze the cultural differences in information security attitudes
and behavior of employees [9].
Thus, there is still a need for the examination of aspects that have not yet been taken
into account to a sufficient extent. First, the current research describes that only a
limited set of cultures have been analyzed at the national level for differences in terms
of ISPCB [5, 10]. Second, existing approaches either do not use theories to describe
cultural differences regarding ISPCB in their basic form or consider specific contexts,
such as different security offenses [8, 11]. An analysis of theoretical mechanisms in a
general ISPCB context offer the possibility of better comparability and more specific
use of the results with existing and future research [12]. Currently, we cannot say
whether current analyzed theories in ISPCB research differ in their predictive power
and mechanisms in different countries because there is no common level of
comparability. Therefore, the aim of this study is to investigate whether the predictive
power of established theories and their mechanisms differ in different national cultures.
Our study addresses the mentioned gaps as follows. Using two of the most widely
used theories in ISPCB research, the Deterrence Theory (DT) [8] and the Protection
Motivation Theory (PMT) [13] we collected, analyzed and compared data sets with
different cultural values from Germany, the USA and India using an SEM-PLS
approach. We use the two theories mentioned above because they have different
perspectives on ISPCB [3]. Our analysis comprises of three aspects. First, we conduct
invariance testing to validate that the measurement instruments measure the same
theoretical construct across our cultures. Second, there is an established tradition in
information systems research in general, of comparing research models that have been
developed and tested in earlier work [14]. Thus, we follow this approach and compare
the predictive power and the mechanisms of the two theories [15]. We test for statistical
differences between the explained variance in ISPCB using a Multi Group Analysis.
The rest of the paper is structured as follows. In the second section, we look at the
cultural dimensions that are the basis for our cross-cultural comparison and describe
the analyzed theories DT and PMT. We then develop the research model and present
the explorative hypotheses underlying this study in the third section. Subsequently, the
results of the study are presented. The study concludes with a discussion, limitations,
contributions and an outlook on further research potentials.
2 Theoretical Background
2.1 The Concept of National Culture
The factor culture is an essential dimension that shapes an individual’s behavior and
can be described as a summary of ideologies, beliefs, basic assumptions, shared norms
and values, that have an influence on the collective will [16]. Existing research on
79
�information security and culture indicates a wide range of studies in which the influence
of theoretical mechanisms on ISPCB are analyzed, based on national cultural
differences. To apply these cultural differences, Hofstede's cultural dimensions provide
a solid base for a comparison and are a widely used approach in information security
research [9]. The dimensions consist of the constructs power distance (PD), uncertainty
avoidance (UA), individualism/collectivism (COL), Masculinity/Femininity (MAS)
and long-term orientation (LO). Power distance determines the degree to which people
accept and expect that power is distributed unequally. Uncertainty Avoidance defines
the degree to which people feel uncomfortable with uncertainty and ambiguity.
Individualism is defined as a preference of individuals to take care of only themselves
and their families. Collectivism is the opposite. Masculinity and Femininity can be
related to tough vs. Tender cultures. According to Hofstede (2011) Masculinity
represents values ass heroism, material rewards or success. Femininity is related to the
preference for cooperation, modesty and quality of life. This orientation defines the
degree to which long term values and traditions are balanced in contrast to thrift
encouragement and efforts in modern solutions [17]. We used Hofstede’s cultural
dimensions for two reasons. First, the dimensions have been rigorously developed and
provide definitions for different cultural dimensions. Second, their application allows
us to better integrate our theoretical findings in this stream of literature [7].
Table 1. Comparison of Cultural Dimensions between Nations
Cultural Dimension Country Score
Germany USA India
Power Distance 35 40 77
Uncertainty Avoidance 65 46 40
Collectivism 67 91 48
Masculinity/Femininity 66 62 56
Long Term Orientation 31 29 61
We selected these three nations Germany, India and USA because, they have different
values in Hofstede's cultural dimensions and thus, form a good basis for analyzing
cultural differences at the national level. Table 1 shows that India has a higher value
for PD than Germany or the USA, which means in the Indian culture it is more likely
to accept the unequal distribution of power than in the national culture of Germany or
the USA. Uncertainty avoidance differs more between Germany and the USA and
India, which shows that in German culture uncertainty and ambiguity are described as
more uncomfortable than in the U.S. and India. The COL dimension is strongest for the
USA and lowest for India. It shows that the national culture of the U.S.A has a strong
bias for collective action in society instead of emphasizing individualism. The
dimension MAS shows similarly high values in all three cultures. LO is more
pronounced in India than in the USA or Germany and shows that Indian culture
80
�emphasizes long-term values and traditions instead of thrift encouragement and efforts
in modern solutions. Overall, the three national cultures show a good distribution in the
characteristics of the cultural dimensions according to Hofstede and are therefore well
suited for carrying out an intercultural comparison at the national level.
2.2 Deterrence Theory in Information Security Research
The DT has its origin in criminology and has been widely used in information security
research [8]. The theory states that individuals will choose to commit an offence, if the
benefits outweigh the underlying penalties. The DT further describes that the trade-off
between benefits and the expected penalty can be further divided in different
mechanisms, namely sanction certainty, sanction severity and sanction celerity [11].
When considering the DT in existing information security literature, a wide range of
uses can be identified. The application of the original form of DT concentrates on the
usage of formal sanctions to explain ISPCB, while other research additionally includes
more informal consequences, such as informal sanctions like guilt and shame. Formal
sanction severity is described as the formal expected amount of a penalty when a policy
violation is committed, such as a fine or a warning, while an example for informal
sanction severity could the loss of reputation among colleagues and superiors or shame.
Formal sanction certainty describes the perceived probability of being formally
punished if one is caught for an ISP non-compliant behavior, while informal sanction
certainty describes probability of being informally punished by the social environment
(e.g. at the workplace) [3]. Sanction celerity describes the velocity a person is punished
if a crime was committed [18].
Both formal and informal sanction certainty and sanction celerity find empirical support
in various contexts of information security research [19]. Since sanction severity and
sanction celerity are considered as the two main components of deterrence theory, since
celerity has received less empirical support in information security research so far, we
only considered formal and informal sanction severity and sanction celerity in our
research model [11].
2.3 Protection Motivation Theory in Information Security Research
The PMT has its origins in healthcare research. The theory states that a person, when
confronted with a threat, cognitively weighs the threat and a possible related protective
measure [20]. After assessing the threat and potential countermeasures to cope with it,
the individual decides to adopt an adaptive or non-adaptive behavior. Adaptive
behaviors are recommended responses designed to protect against a threat, whereas
non-adaptive responses involve behaviors in which the threat recipient avoids
implementing a recommended response. PMT assumes that the susceptibility to threats
and the severity of the threat have a positive effect on a person's behavior and
adaptation. Similarly, in its adapted form, the PMT contains further constructs used to
constitute the protection motivation, such as response effectiveness, self-efficacy to
comply and response costs, which have a direct influence on behavior [21]. Response
cost describe the perceived extrinsic or intrinsic personal costs of performing the
81
�suggested adaptive behavior in terms of time, money or effort. Response efficacy is
described as the perceived effectiveness of the behavior in mitigating or avoiding the
perceived violation. Self-efficacy is defined as the confidence an individual possesses
in effectively performing a recommended response and to complying with given ISP’s.
Severity is defined as the perceptions of the seriousness of an information security
violation. Susceptibility refers to the degree to which someone feels vulnerable to a
specific violation of ISP's [13].
The constructs of the PMT find broad empirical support in information security
research. Menard et al. (2017) analyze the impact of PMT on the individual motivation
of information technology users. Johnston and Warkentin (2010) developed their fear-
appeal model based on the PMT in order to convey the effectiveness of an antispyware
software [22]. Moody et al. (2018) show that PMT constructs such as response efficacy,
severity and susceptibility have an indirect effect on behavior [3]. However, current
information security research lacks on studies on the relationship between PMT
constructs and national culture [13, 20]. We, therefore, used the explained theoretical
constructs of the PMT for our cross-cultural analysis.
3 Research Approach
3.1 Hypotheses development and Research Design
The hypotheses of a research project serve to answer the underlying research questions.
However, in order to answer our research questions, we need to operationalize the
theories we have introduced earlier in our study. The construct definitions from the DT
and PMT were used to transfer the theories into a structural model displayed in Figure
1. This becomes necessary because the results of the structural model are needed to
determine the effect strengths of the respective theory components on ISPCB. They are
used to determine the predictive power of the theories for ISPCB. We furthermore
analyze different effect sizes between the constructs along different cultures to identify
significant differences as it has been shown that differences in cultural values can have
an influence on behavior [17]. We draw on this argumentation and propose the
following hypotheses:
H1: The predictive power of DT and the model's mechanisms differ across cultures.
H2: The predictive power of PMT and the model's mechanisms differ across
cultures.
We conducted an empirical cross-cultural study to examine our underlying
hypotheses. The operationalization of their variables follows a context-independent
approach, measuring general ISPCB in order to make more generalized statements
about the effectiveness of the theories and to compare their explanatory power
throughout the culture samples [12]. For the measurement of behavior, the items of
D'Arcy and Lowry (2019) were used and generalized for our study. Furthermore, we
used 7-point Likert scales for our questionnaires. The items for formal and informal
82
�sanction severity and -certainty of the DT (3 items each) were adapted by Moody et al.
(2018) and rephrased for our study [3]. The items used for the constructs response cost
and response efficacy of the PMT were adapted by Floyd et al. (2000) (4 items each).
Self-efficacy, severity and susceptibility were taken from Menard et al. (2017) and
adapted (3 items each) [13, 20]. The used questions per item are listed in the appendix.
Figure 1. Research Models of DT and PMT.
DT PMT
We used an SEM approach and the partial least squares (PLS) method to test the
theoretical models, because it has fewer sample size requirements and is characterized
by excellent prediction [24]. We performed a cross-model comparison by using a multi-
group analysis (MGA) to look for significant differences in the mean differences of the
explained variance of our models across our samples as well as in the path coefficients
of the analyzed theories (Welch-Satterthwait test) [25].
3.2 Data collection, Sample Characteristics and Common-Method Bias
A pilot study was conducted by sending the survey to five academic experts for review.
A test run was then started with 60 participants for each sample, where at least 30 results
per sample were complete and valid. The crowdsourcing platforms Amazon
Mechanical Turk and Clickworker were used to collect the data, taking into account the
quality criteria for using crowd working platforms, defined by Lowry et al. (2016) [26].
Only participants with their cultural background and origin from the respective sample
(USA, India, Germany) were able to participate in our study. Their job acceptance rate
on the platform must have been higher than 90%, and a certification of English language
skills must be registered on the platform. We only selected participants which were
employed, worked at least partially with a computer in their job and whose organization
had an ISP. Additional attention checks were built into the study (e.g., requests to select
a specific response) to avoid systematic response patterns. Participants were paid $1.65
for successful and conscientious participation in the study. In total, 767 people
participated in the German survey, 623 in the survey within the USA and 481 people in
83
�the Indian survey. After applying the used quality criteria, the resulting samples consist
of 422 (57%) valid responses collected in Germany, 263 (42%) in the USA and 252
(52%) in India. Demographic characteristics of the respondents were adapted from
Hovav and D'Arcy (2012). The average age in all three countries is between 30 and 35
years. In all three countries, the proportion of men is higher than 60%. The majority of
the participants work in a company with more than 1000 employees.
To carry out the common method bias test, we used the marker variable technique
[27] and chose the respondent's outside activities as the theoretically unrelated marker
variable [23]. The highest variance that the marker shares with another construct is less
than 0.05. In addition, the path coefficients between the constructs showed no
significant size changes (> 0.01 and not significant). In conclusion, the result suggests
that there is no evidence of a common method bias in our study.
4 Data Analysis and Results
4.1 Measurement Models and Invariance Testing
To check our data for reliability, common quality criteria for reflective measurement
models in IS research were applied to our study [28]. We used individual item
reliability, composite construct reliability (CR), and average variance extracted (AVE)
as indicators of convergent validity for our models. The factor loadings of the items for
the DT and PMT model were all above 0.70, which indicates sufficient item reliability
[29] (see appendix). The CR is higher than 0.70 for every variable used in each model,
and the AVE is higher than 0.5 [28]. We furthermore used the Fornell and Larcker
criterion to confirm discriminant validity by showing that for each model, the AVE for
each construct is higher than the variance shared with other constructs (see square root
AVEs as bold numbers in Table 2). [30, 31]. In summary, our results indicate that our
measurement model is acceptable and reliable.
Table 2. Inter-construct correlations, construct reliability, and average variance extracted of
Deterrence Theory Model.
Samples and Items CR AVE FSC FSS ISC ISS ISPCB
FSC 0.884 0.719 0.848
Germany
FSS 0.917 0.786 0.581 0.887
ISC 0.913 0.778 0.468 0.496 0.882
ISS 0.919 0.79 0.409 0.551 0.649 0.889
ISPCB 0.938 0.834 0.347 0.318 0.428 0.378 0.913
FSC 0.85 0.654 0.809
FSS 0.87 0.693 0.618 0.832
USA
ISC 0.903 0.757 0.404 0.447 0.87
ISS 0.881 0.713 0.366 0.451 0.667 0.844
ISPCB 0.918 0.789 0.399 0.373 0.394 0.491 0.888
84
� FSC 0.808 0.585 0.765
India
FSS 0.823 0.608 0.5 0.78
ISC 0.841 0.639 0.344 0.359 0.799
ISS 0.801 0.576 0.408 0.624 0.507 0.759
ISPCB 0.823 0.609 0.453 0.433 0.357 0.475 0.78
Samples and Items CR AVE RC REF SEF SEV SUS ICB
RC 0.866 0.624 0.79
Germany
REF 0.906 0.708 -0.015 0.842
SEF 0.931 0.819 -0.167 0.328 0.905
SEV 0.918 0.788 0.155 0.197 0.095 0.888
SUS 0.944 0.85 -0.084 0.346 0.400 0.339 0.922
ISCPB 0.866 0.624 -0.162 0.333 0.495 0.074 0.467 0.913
RC 0.926 0.759 0.871
RE 0.887 0.664 -0.199 0.815
USA
SEF 0.916 0.784 -0.237 0.499 0.885
SEV 0.915 0.781 0.414 0.088 -0.003 0.884
SUS 0.905 0.761 -0.082 0.476 0.500 0.131 0.872
ISPCB 0.918 0.789 -0.263 0.597 0.603 -0.009 0.539 0.888
RC 0.87 0.628 0.792
REF 0.805 0.509 0.35 0.714
India
SEF 0.81 0.588 0.138 0.47 0.767
SEV 0.841 0.64 0.395 0.437 0.395 0.8
SUS 0.787 0.553 0.234 0.516 0.531 0.402 0.743
ISPCB 0.824 0.609 0.161 0.543 0.698 0.331 0.606 0.781
Notes (also for following tables): FSC = Formal Sanction Certainty. FSS = Formal Sanction Severity. ISC
= Informal Sanction Certainty. ISS = Informal Sanction Severity. RC = Response Cost. REF = Response
Efficacy. SEF = Self Efficacy. SEV = Severity. SUS = Susceptibility. The bold numbers on the leading
diagonal are the square root of the AVE. *significant at 0.1; ** significant at 0.05; *** significant at 0.01.
Additionally, we tested for configural and metric measurement invariance. This step
is necessary to create the ability to further analyze differences in the predictive power
of the theories in a cross cultural manner [32]. Only if the charges of the similar items
are invariant across groups, differences in the item scores can be meaningfully
compared to the extent that they indicate similar group differences in the underlying
construct [33]. To measure invariance, we performed a MGA and tested the differences
in item loadings for all models between the three samples. We were not able to find
significant differences between the item loadings of our samples and thus show metric
invariance and comparability of our results.
4.2 Testing Theoretical Mechanisms across Cultures
We have tested the previously introduced path models with the PLS algorithm for
estimating the structural model. We used the bootstrapping method to determine the
significance of the path coefficients with 5000 bootstrap samples [28]. An overview of
85
�our significance levels of the individual path coefficients for all three models is given
in Table 3.
Table 3. Structural Models of DT and PMT Research Model.
Germany USA India Germany / Germany / USA /
Model Path USA India India
Path Coefficients Significant Effect Differences
Deterrence Theory
FSC -> ISPC 0.150*** 0.211*** 0.252*** NS NS NS
FSC -> ISPCB 0.018 0.052 0.124* NS NS NS
ISC -> ISPCB 0.196*** 0.058 0.105 S* NS NS
ISS -> ISPCB 0.164*** 0.372*** 0.213*** S* NS NS
Protection Motivation Theory
RC -> ISPCB -0.049 -0.086* -0.011 NS NS NS
REF -> ISPCB 0.149*** 0.307*** 0.207*** S* NS S**
SEF -> ISPCB 0.324*** 0.296*** 0.467*** NS S* S*
SEV -> ISPCB -0.062 -0.033 -0.049 NS NS NS
SUS -> ISPCB 0.279*** 0.220*** 0.279*** NS NS NS
While formal sanction certainty and informal sanction severity have a significant
impact in all three models, formal sanction severity only applies to India and informal
sanction certainty only to Germany. The mechanisms of PMT are almost equally
applicable to all three cultures. While response efficacy, self-efficacy and susceptibility
are applicable in all three models and severity has no significant effect in all of them,
response cost is only significantly applied in the USA model.
We additionally identified some significant effects of our control variables (see
appendix). Age has a significant effect on ISPCB in at least one of the samples for each
theory. The company size and industry only have an influence in the DT model.
Education affects at least one sample for each theory. For gender, only one significant
effect can be found in the PMT model.
4.3 Comparing the Predictive Power across Cultures
In order to determine the predictive power of the theories and then compare them, we
first considered the path coefficients of the individual models and determined whether
significant differences exist in their height [25]. In the second step we compared the
explained variance and also investigated whether significant differences exist. As
analyzed in the previous chapter, different significances can be identified in the path
coefficients of the DT models. However, it can be observed that only significant path
differences can be identified in the informal sanctions. For example, ISC in the USA
model is significantly higher than in the German model (significant at 0.1). The same
86
�difference can be found for ISS. The PMT model was tested using five different
constructs. Response efficacy has a significant effect on ISPCB in all three models,
whereas the effect in the USA is significantly higher than in Germany and India. There
is a significant effect of self-efficacy on ISPCB in all models where the path coefficient
in the Indian is significantly higher as in the USA and German one (significant at 0.1).
When interpreting the explained variance, the acceptable values depend on the
research context [29]. In general, a proportion of the explained variance of an
endogenous variable is considered low up to 0.32, moderate from 0.33 and substantial
from 0.67. The R² adjusted in the DT model is in the medium range for the USA (0.350)
and India (0.327), for the German sample slightly below the 0.32 limit at 0.291.
However, the MGA showed that the difference between Germany and USA and
Germany and India is significant (significant at 0.05). For the PMT models, all R²
adjusted are in the medium range, whereas only the value for Germany is below 0.4
(0.358) and significantly different compared to the USA (0.520) and Indian (0.580)
sample (significant at 0.05). The R² adjusted values for the PMT and DT model are
above average [8]. The differences in the R² values may result from the different
operationalisation of the theories, as we use basic models or have no further context-
specific extensions in our models. Along the investigated theories we can see that there
are significant differences in the path coefficients of the theories as well as in the R² of
the models.
5 Discussion
5.1 Implications for Research and Practice
Our results show implications for research as well as for practice. The main purpose of
this analysis was to empirically evaluate and compare the predictive power of the DT
and PMT along three different national cultures. The results of the analysis provide
different insights into the cultural differences when applying the theories and show
interesting theoretical contributions. First, by applying configural and metric invariance
between our cultural samples, we can show that our used models and items of the DT
and PMT are understood in the same way across different cultures [33]. These results
are the basic prerequisite for a comparison of the theories between the national cultures.
Secondly, we were able to show that there are differences in the predictive power of
DT and PMT mechanisms. We could show for our context that the theories have a small
to medium-strong explanatory power. Significant differences along the cultures exist
in the DT model between USA and Germany. In addition, we were able to show in our
study that the PMT constructs response efficacy and self-efficacy explains the ISPCB
significantly better in India and the USA than in Germany. Furthermore, our results
show different effects for the effectiveness of formal sanctions in the USA than in
existing research [7]. Our results provide important information on the effectiveness of
models on ISPCB in order to define what types of measures are appropriate to ensure
ISPCB in an international context. These findings indicate that ISPCB research needs
to consider cultural differences in the use of DT and PMT. Our results provide a basis
87
�for more specific investigation, such as analysing the effects of individual cultural
dimensions on the mechanisms of the theories analysed. Finally, we can contribute to
a broader consideration of intercultural comparisons between more than two nations
since we integrated national samples such as Germany and India which were previously
less considered in cross-cultural research of ISPCB [6].
Practitioners can also benefit from the conclusions of our results. Our findings
underline the relevance of a cultural differentiation of measures for the management of
security breaches. Overall, in the future, it will be important to consider cultural
differences when using security measures to positively influence ISPCB. Companies
should pay attention to the fact that the measures work differently in different
international locations. They should be designed with a culture-specific mode of
operation in mind. An example of such differences is the use of sanctions. While our
results show that the severity of an expected formal punishment in different cultures
tends to be less effective ISPCB, the sole high probability that a formal punishment is
to be expected is comparatively more effective.
5.2 Limitations and Future Research
For an adequate interpretation of our results, the following limitations of the study
should be considered. On the one hand, we measured general ISPCB and did not
specifically refer to one or more contexts. The general validity of our results cannot be
proven by the fact that cultural differences can be context specific. Future research can
take up this aspect and examine our results as a starting point for cultural differences in
specific ISPCB contexts. Secondly, in order to compare different cultures, we have used
three example cultures, which differ in their cultural dimensions according to [17].
Thus, our results are limited to the cultures we selected. In order to find out more about
the differences between cultures, we need to involve further culture samples and take a
closer look at the direct influences of cultural dimensions on specific behaviour.
Furthermore, we could not consider the problem of a cultural shift in detail. For
example, our samples from the different countries could be influenced by the individual
cultural values of each subject. In order to obtain a detailed consideration of cultural
values on the studied theoretical constructs and ISPCB, future studies should also
measure culture on an individual level and investigate it in terms of its influence on
ISPCB. [7]. Third, moderating factors could only partially be addressed in our work.
More detailed differences and the involvement or deepening of other factors, such as
an industry-specific investigation or an analysis based on different educational
backgrounds, will be subjected to future research.
6 Conclusion
Studies on the analysis of ISPCB often show the need to consider their results from
different cultural perspectives. However, existing studies in this area rarely take an
empirical approach, look at given problems from different theoretical lenses and put
the results into context. This study is the first to empirically test and compare three
88
�prominent theories that are often used to explain ISPCB. Furthermore, we were able to
identify different types of effects in different cultures and that their effect strength can
vary. Interestingly, both strong similarities and differences can be identified across
theories. Other interesting aspects are constant effects along the three cultures analyzed,
such as attitude or susceptibility as an effective factor for explaining ISPCB. Our results
give a first impression of cultural differences in the effectiveness of different theoretical
models and provide a starting point for the design and implementation of ISP’s in an
international environment. In summary, future research on ISPCB and culture should
be based on these results when deciding for or against a theoretical lens and should
conduct more specific analyses.
References
1. Barlow, J.B., Warkentin, M., Ormond, D., Dennis, A.R.: Don't Even Think About It! The
Effects of Antineutralization, Informational, and Normative Communication on
Information Security Compliance. Journal of the Association for Information Systems 19
(2018)
2. Lowry, P.B., Moody, G.D.: Proposing the control-reactance compliance model (CRCM) to
explain opposing motivations to comply with organisational information security policies.
Info Systems J 25, 433–463 (2015)
3. Moody, G.D., Siponen, M., Pahnila, S.: Toward a Unified Model of Information Security
Policy Compliance. MIS Quarterly 42, 285–311 (2018)
4. Willison, R., Warkentin, M., Johnston, A.C.: Examining employee computer abuse
intentions: insights from justice, deterrence and neutralization perspectives. Info Systems J
28, 266–293 (2018)
5. Cram, W.A., D'Arcy, J., Proudfoot, J.G.: Seeing the Forest and the Trees: A Meta-Analysis
of the Antecedents to Information Security Policy Compliance. MISQ 43, 525–554 (2019)
6. Crossler, R.E., Johnston, A.C., Lowry, P.B., Hu, Q., Warkentin, M., Baskerville, R.:
Future directions for behavioral information security research. Computers & Security 32,
90–101 (2013)
7. Hovav, A., D’Arcy, J.: Applying an extended model of deterrence across cultures: An
investigation of information systems misuse in the U.S. and South Korea. Information &
Management 49, 99–110 (2012)
8. Trang, S., Brendel, B.: A Meta-Analysis of Deterrence Theory in Information Security
Policy Compliance Research. Inf Syst Front 21, 1265–1284 (2019)
9. Connolly, L.Y., Lang, M., Wall, D.S.: Information Security Behavior: A Cross-Cultural
Comparison of Irish and US Employees. Information Systems Management 36, 306–322
(2019)
10. Chen, Y., Zahedi, F.M.: Individuals' Internet Security Perceptions and Behaviors:
Polycontextual Contrasts Between the United States and China. MISQ 40, 205–222 (2016)
11. D'Arcy, J., Herath, T.: A review and analysis of deterrence theory in the IS security
literature: making sense of the disparate findings. European Journal of Information
Systems 20, 643–658 (2011)
89
�12. Aurigemma, S., Mattson, T.: Generally Speaking, Context Matters: Making the Case for a
Change from Universal to Particular ISP Research. Journal of the Association for
Information Systems (2019)
13. Menard, P., Bott, G.J., Crossler, R.E.: User Motivations in Protecting Information
Security: Protection Motivation Theory Versus Self-Determination Theory. Journal of
Management Information Systems 34, 1203–1230 (2017)
14. Srite, Karahanna: The Role of Espoused National Cultural Values in Technology
Acceptance. MISQ 30, 679 (2006)
15. Brown, S.A., Venkatesh, V., Hoehle, H.: Technology adoption decisions in the household:
A seven-model comparison. J Assn Inf Sci Tec 66, 1933–1949 (2015)
16. Leidner, D.F., Kayworth, T.: Review: a review of culture in information systems research:
toward a theory of information technology culture conflict. MIS Quarterly 30 (2006)
17. Hofstede, G.: Culture's consequences. Comparing values, behaviors, institutions, and
organizations across nations. Sage Publ, Thousand Oaks, Calif. (2011)
18. Vance, A., Siponen, M.T., Straub, D.W.: Effects of sanctions, moral beliefs, and
neutralization on information security policy violations across cultures. Information &
Management 57, 103212 (2020)
19. Willison, R., Lowry, P.B., Paternoster, R.: A Tale of Two Deterrents: Considering the
Role of Absolute and Restrictive Deterrence to Inspire New Directions in Behavioral and
Organizational Security Research. JAIS, 1187–1216 (2018)
20. Floyd, D.L., Prentice-Dunn, S., Rogers, R.W.: A Meta-Analysis of Research on Protection
Motivation Theory. Journal of Applied Social Psychology 30, 407–429 (2000)
21. M. Warkentin, N. Malimage, K. Malimage: Impact of Protection Motivation and
Deterrence on IS Security Policy Compliance: A Multi-Cultural View. In: WISP 2012
(2012)
22. Johnston, Warkentin: Fear Appeals and Information Security Behaviors: An Empirical
Study. MIS Quarterly 34, 549 (2010)
23. D'Arcy, J., Lowry, P.B.: Cognitive‐affective drivers of employees' daily compliance with
information security policies: A multilevel, longitudinal study. Info Systems J 29, 43–69
(2019)
24. Ringle, S., Straub, S.: Editor's Comments: A Critical Look at the Use of PLS-SEM in
"MIS Quarterly". MIS Quarterly 36, iii (2012)
25. Rocha Flores, W., Antonsen, E., Ekstedt, M.: Information security knowledge sharing in
organizations: Investigating the effect of behavioral information security governance and
national culture. Computers & Security 43, 90–110 (2014)
26. Lowry, P.B., D’Arcy, J., Hammer, B., Moody, G.D.: “Cargo Cult” science in traditional
organization and information systems survey research: A case for using nontraditional
methods of data collection, including Mechanical Turk and online panels. The Journal of
Strategic Information Systems 25, 232–240 (2016)
27. Lindell, M.K., Whitney, D.J.: Accounting for common method variance in cross-sectional
research designs. Journal of Applied Psychology 86, 114–121 (2001)
28. Hair, J.F., Hult, G.T.M., Ringle, C.M., Sarstedt, M.: A primer on partial least squares
structural equation modeling (PLS-SEM). SAGE, Los Angeles, London, New Delhi,
Singapore, Washington DC, Melbourne (2017)
90
�29. Hair, J.F.: A primer on partial least squares structural equation modeling (PLS-SEM). Sage
Publ, Los Angeles (2014)
30. Chin, W.: Issues and Opinion on Structural Equation Modeling. MIS Quarterly 22 (1998)
31. Fornell, C., Larcker, D.F.: Evaluating Structural Equation Models with Unobservable
Variables and Measurement Error. Journal of Marketing Research 18, 39 (1981)
32. Steelman, Z.R., Hammer, B.I., Limayem, M.: Data Collection in the Digital Age:
Innovative Alternatives to Student Samples. MISQ 38, 355–378 (2014)
33. Henseler, J., Ringle, C.M., Sarstedt, M.: Testing measurement invariance of composites
using partial least squares. International Marketing Review 33, 405–431 (2016)
Appendix
Table 4. Analyzed Control Variables.
Control Deterrence Theory Protection Motivation Theory
Variables Germany USA India Germany USA India
Age 0.269*** 0.138*** 0.099* 0.057* 0.096** 0.029
Company Size 0.102*** 0.008 0.037 0.013 -0.02 -0.017
Education 0.035 -0.138*** -0.061 0.099*** 0.034 0.011
Gender 0.059 0.036 -0.026 0.065* 0.037 0.067*
Industry 0.120*** 0.144*** 0.132*** 0.032 0.033 -0.031
Job Position 0.012 -0.033 0.024 -0.071 0.044 0.035
Table 5. Used Items.
Construct Item
Formal 1. How much of a problem would it create in your life if you violated the
Sanction company information security policy?
Severity 2. How much of a problem would it be if you received severe sanctions if
you violated the company information security policy?
3. How much of a problem would it create in your life if you were formally
sanctioned if you violated the company information security policy?
Formal 1. What is the chance that you would be formally sanctioned (punished) if
Sanction management learned that you had violated company information security
Certainty policies?
2. I would receive corporate sanctions if I violated company ISP
procedures.
3. What is the chance that you would be warned if management learned you
had violated company information security procedures?
Informal 1. It would create a problem in my life if my career was adversely affected
Sanction for not complying with ISP procedures regularly.
Severity 2. It would create a problem in my life if I lost the respect and good opinion
of my colleagues for not following ISP procedures regularly.
91
� 3. It would create a problem in my life if I lost the respect of my manager
for not complying with ISP procedures regularly.
Information 1. How likely is it that you would lose the respect and good opinion of your
Sanction business associates for violating company information security procedures?
Certainty 2. How likely is it that you would jeopardize your promotion prospects if
management learned that you had violated company information security
procedures?
3. How likely is it that you would lose the respect and good opinion of your
manager for violating company information security policies?
Response 1. Complying with information security procedures would be time
Cost consuming.
2. Complying with information security procedures would take work time.
3. Complying with information security procedures makes my work more
difficult.
4. Complying with information security procedures inconveniences my
work.
Response 1. Complying with information security procedures in our organization
Efficacy keeps information security breaches down.
2. If I were to comply with information security procedures, IS security
breaches would be scarce.
3. If I were to do the opposite to what Mattila did, it would keep IS security
breaches down.
4. If I were to do the opposite to what Mattila did, IS security breaches
would be minimal.
Self-Efficacy I have the necessary ... to fulfil the requirements of the ISP (skills,
to Comply knowledge, competencies).
Severity An information security breach in my organization would be serious /
severe / significant.
Susceptibility 1. My information and technology resources are at risk for becoming
attacked.
2. It is likely that my information and technology will become
compromised.
3. It is possible that my information and technology resources will become
compromised.
ISPCB 1. I complied with the requirements of the ISP.
2. I protected information and technology resources according to the
requirements of the ISP.
3. I carried out my responsibilities prescribed in the ISP when I used
information and technology.
92
�