Information security poses a variety of challenges for any organisation. One such challenge, though often overlooked, is that of the threat posed by users. Whilst a variety of methods are available to control this, none have been particularly successful. An alternative suggested in the literature is the use of organisational culture via corporate governance to improve the security behaviours of individuals (Thomson & von Solms, 2005; von Solms & von Solms, 2004; Mishra & Dhillon, 2006). At the core of these alternative theories is the assumption that culture affects information security, though no literature could be found that tests this relationship. Previous research into the effects of organisational culture on other aspects of an organisation has lead to uncertainty as to the existence of such a relationship, and therefore it needs to be evaluated before these theories can be tested or further utilised. The purpose of this study is twofold, viz, to test the relationship between organisational culture and information security behaviour, and to test the viability of using the Partial Least Squares (PLS) method advocated by Chin & Newstead ( 1999) for this type of research. A model was developed to represent information security attitudes, which, combined with Hofstede’s (1990) model of culture, was used to develop the survey. The model and survey were piloted via interview in the organisations. The results lead us to question the existence of a relationship between organisational culture and information security attitudes.
McCoy, Brydie; Stephens, Greg; and Stevens, Kenneth J., "An Investigation of the Impact of Corporate Culture on Employee Information Systems Security Behaviour" (2009). ACIS 2009 Proceedings. 58.