The moderating impact of organizational culture on information security compliance

Abstract

This research paper investigates the association between organizational culture and employees' compliance with information security policies. Drawing upon rational choice theory (RCT) and the competing values framework (CVF), our study explores the moderating effects of cultural dimensions on information security compliance in a diverse range of organizations. We employ a scenario-based approach and analyze the data using Partial Least Squares Structural Equation Modeling (PLS-SEM). Our findings underscore the robustness of the model and emphasize the pivotal role of cultural dimensions in influencing employees' compliance intentions. The study contributes by synthesizing non-fear-based deterrence theory with organizational culture theory, offering practical insights for information security managers. Recommendations include framing compliance as a moral duty, involving end-users in policy development, utilizing effective communication, implementing monitoring systems, and fostering a consistency culture. For organizations, the research underscores the importance of cultivating an ethical culture, emphasizing moral beliefs, and leveraging cultural dimensions to enhance compliance intentions. Acknowledging limitations related to single-country data collection, a focus on compliance intentions, and the selection of organizations with established policies, this research paves the way for future studies. Future research should aim to replicate this study in diverse cultural settings, consider individual-level culture measurement, and explore additional moderating factors. This research contributes to understanding the intricate relationship between organizational culture and information security compliance, offering actionable insights for practitioners and prospects for further exploration in the information security field.