LUP Student Papers

The Role of Organisational Culture in Shaping and Ensuring Information Security Compliance

• Mark

Abstract

Purpose: This bachelor thesis examines the impact of organisational culture on the adherence to Information Security (hereinafter IS) protocols (IS compliance) and the crucial factors leading to varying levels of consistency in information security awareness (hereinafter ISA) between organisational departments while considering the unique Swedish cultural qualities.
Methodology: This thesis reaches its conclusion through a series of primary and secondary data collection procedures. Primary data relies on semi-structured interviews with experts from different departments influential in IS compliance decision-making in order to understand how existing practices influence organisation culture by changing incentives and attitudes change with... (More)

Purpose: This bachelor thesis examines the impact of organisational culture on the adherence to Information Security (hereinafter IS) protocols (IS compliance) and the crucial factors leading to varying levels of consistency in information security awareness (hereinafter ISA) between organisational departments while considering the unique Swedish cultural qualities.
Methodology: This thesis reaches its conclusion through a series of primary and secondary data collection procedures. Primary data relies on semi-structured interviews with experts from different departments influential in IS compliance decision-making in order to understand how existing practices influence organisation culture by changing incentives and attitudes change with regards to adherence to security practices.
Theoretical Background: The thesis breaks down the socio-technical research question into manageable chunks that can be explored through research, and consequently allows for proper questions to be framed in order to achieve findings within the outline of this thesis. IS compliance is broken down to its basic nature, investigating both the human factors that affect compliance with IS (based on existing research), as well as the technical elements and governance principles. Lastly, proper models are selected to identify ways through which to interpret the role of organisational culture (Schein’s Iceberg Model) and national culture (Hofstede’s Cultural Dimensions) with regards to compliance intention.
Empirical Findings: The compliance intention factors revealed varying values of the departments, however, transparency, accountability, and the nature of the data were deemed the most essential elements in identifying information security practices. Compliance is shaped by the implied incentives from actions taken by the departments. The CS experts are the primary agents who act as a source of ISA, however, the tensions and nuance in responses between them, IT department and top management result in the lowering of their potential to affect the organisational culture in the desired way. The IT department is generally undertaking a mediating role in ISA, yet specifics of their jobs implied their prime focus in technicalities, which resulted in lower levels of proper interdepartmental communication. Overall, transparency and dynamic learning were the pivotal elements mentioned by fairly all respondents.
Analysis: Incentives and actions of different departments are projecting the leadership priorities and craft the general behaviour within organisational culture. It is crucial for the organisations to analyse ISA and IS compliance as a cultural component which shall be organically absorbed through dynamic learning. Moreover, compliance intention factors and maturity levels provide a certain prism of perception through which to determine proper levels of security compliance and governance. Such emphasis shall act as a tool for the cognition of actionable principles to be taken to reflect the cultural preferences of employees and cultivate proper interdepartmental practices.
Conclusion: With regards to the Swedish cultural maxim, greater transparency would be warranted to increase intra-organizational learning, and contribute to optimized solutions, as opposed to solutions oriented around top-management’s objectives. In doing so, ISA and IS compliance are likely to become a more crucial aspect of workers’ perceptions, by allowing workers more control over decisions, due to greater knowledge. (Less)