The Effects of Cultural Contradictions on Information Security Compliance Behaviour

Thesis / Dissertation

2023

Permanent link to this Item
Authors
Supervisors
Journal Title
Link to Journal
Journal ISSN
Volume Title
Publisher
Publisher
License
Series
Abstract
Purpose: Organisational culture and an information security subculture can have a significant influence on employee compliance with information security policies. Cultivating an information security culture however is a challenge for organisations, as differences in cultural values can lead to cultural contradictions. Cultural contradictions can in turn lead to conflict, which has an undesirable influence on employee compliance behaviour. The purpose of this research is to explain the nature of the relationship between emergent cultural contradictions in organisations and the information security compliance behaviour of employees. Methodology: Structuration Theory was used as a theoretical lens to explain how cultural contradictions are implicated in employee compliance behaviour. The research methodology was qualitative in nature, comprising a case study with interviews as the data collection instrument. The qualitative data was analysed using thematic analysis to report on cultural orientations, emerging cultural contradictions, and a structurational analysis on how cultural contradictions influence employee compliance with information security policies. Findings: Cultural contradictions between the espoused values of employees and the security values underpinning technology, priorities, processes, and vision are shown to have an adverse effect on employee compliance with information security policies. Structurational analysis also revealed that an ineffective security training programme can lead to an unintended consequence of non-compliance to information security policies. Furthermore, misaligned information security goals can result in employees circumventing information security policies, if they are deemed to conflict with their professional goals, which are further exacerbated by weakly enforced sanctions. Findings also show that power relations enacted within a multinational organisation can have an undesirable effect on the information security policy compliance behaviour of implementors and employees alike. Value: The implications of cultural contradictions on employee compliance behaviour have received little attention in research. The few studies that have addressed the phenomenon have predominantly relied on value-based organisational theories. This study seeks to address this limitation by proposing a theoretical framework grounded in social theory, to explain how cultural contradictions are implicated in information security compliance behaviour
Description

Reference:

Collections