An investigation of employee security behaviour in organisational settings: the effect of procedural security countermeasures and cultural factors

Abstract

An increasing number of information security breaches in organisations presents a serious threat to the security of personal and commercially sensitive information. Recent research shows that humans are the weakest link in the security chain and the root cause of a great portion of security breaches. This dissertation draws on the General Deterrence Theory and prior research on organisational and national culture and examines how procedural security countermeasures, including security education and an information security policy, and cultural factors affect employee security behaviour in organisational settings. In particular, this research project answers the following questions: • How do security countermeasures affect employee security behaviour in organisational settings? • How does perceived organisational culture affect employee security behaviour in organisational settings? • How does perceived national culture affect employee security behaviour in organisational settings? Data for this research project were collected from 19 individuals, nine from organisations located in the United States and ten in Ireland, through qualitative interviews. Organisations and study participants were purposely selected. The principle of theoretical sampling guided data collection. Study’s findings demonstrate that procedural security countermeasures, including security education and an information security policy, tend to lead to compliant behaviour. Furthermore, organisational culture values of solidarity and people-orientation incline to promote compliance with information security requirements, while sociability and task-orientation lean towards non-compliant behaviour. Additionally, flat structure is associated with the improved information security in organisations because employees are empowered to bring up various issues related to information security. Finally, comparative analysis suggests differences in two data sets. In particular, employees in observed organisations located in the United States tend to be more compliant with information security rules than their counterparts from observed organisations located in Ireland. Further, group non-compliance is a more prevalent occurrence in observed organisations located in Ireland as opposed to observed cases located in the United States. Finally, it appears that employees in observed organisations located in the United States tend to put higher emphasis on information security value than employees in observed cases located in Ireland.