Joachim Åström scite author profile

Purpose – The aim of this paper is to survey existing information security culture research to scrutinise the kind of knowledge that has been developed and the way in which this knowledge has been brought about. Design/methodology/approach – Results are based on a literature review of information security culture research published between 2000 and 2013 (December). Findings – This paper can conclude that existing research has focused on a broad set of research topics, but with limited depth. It is striking that the effects of different information security cultures have not been part of that focus. Moreover, existing research has used a small repertoire of research methods, a repertoire that is more limited than in information systems research in general. Furthermore, an extensive part of the research is descriptive, philosophical or theoretical – lacking a structured use of empirical data – which means that it is quite immature. Research limitations/implications – Findings call for future research that: addresses the effects of different information security cultures; addresses the identified research topics with greater depth; focuses more on generating theories or testing theories to increase the maturity of this subfield of information security research; and uses a broader set of research methods. It would be particularly interesting to see future studies that use intervening or ethnographic approaches because, to date, these have been completely lacking in existing research. Practical implications – Findings show that existing research is, to a large extent, descriptive, philosophical or theoretical. Hence, it is difficult for practitioners to adopt these research results, such as frameworks for cultivating or assessment tools, which have not been empirically validated. Originality/value – Few state-of-the-art reviews have sought to assess the maturity of existing research on information security culture. Findings on types of research methods used in information security culture research extend beyond the existing knowledge base, which allows for a critical discussion about existing research in this sub-discipline of information security.

show abstract

Measuring employees’ compliance – the importance of value pluralism

Karlsson

Åström

2017

ICS

View full text Add to dashboard Cite

Purpose This paper aims to investigate two different types of compliance measures: the first measure is a value-monistic compliance measure, whereas the second is a value-pluralistic measure, which introduces the idea of competing organisational imperatives. Design/methodology/approach A survey was developed using two sets of items to measure compliance. The survey was sent to 600 white-collar workers and analysed through ordinary least squares. Findings The results suggest that when using the value-monistic measure, employees’ compliance was a function of employees’ intentions to comply, their self-efficacy and awareness of information security policies. In addition, compliance was not related to the occurrence of conflicts between information security and other organisational imperatives. However, when the dependent variable was changed to a value-pluralistic measure, the results suggest that employees’ compliance was, to a great extent, a function of the occurrence of conflicts between information security and other organisational imperatives, indirect conflicts with other organisational values. Research limitations/implications The results are based on small survey; yet, the findings are interesting and justify further investigation. The results suggest that relevant organisational imperatives and value systems, along with information security values, should be included in measures for employees’ compliance with information security policies. Practical implications Practitioners and researchers should be aware that there is a difference in measuring employees’ compliance using value monistic and value pluralism measurements. Originality/value Few studies exist that critically compare the two different compliance measures for the same population.

show abstract

Democratic Innovations: Reinforcing or Changing Perceptions of Trust?

Åström¹,

Jonsson²,

Karlsson³

2016

International Journal of Public Administration

View full text Add to dashboard Cite

The effect of perceived organizational culture on employees’ information security compliance

Karlsson

Åström

et al. 2021

ICS

View full text Add to dashboard Cite

Purpose This paper aims to investigate the connection between different perceived organizational cultures and information security policy compliance among white-collar workers. Design/methodology/approach The survey using the Organizational Culture Assessment Instrument was sent to white-collar workers in Sweden (n = 674), asking about compliance with information security policies. The survey instrument is an operationalization of the Competing Values Framework that distinguishes between four different types of organizational culture: clan, adhocracy, market and bureaucracy. Findings The results indicate that organizational cultures with an internal focus are positively related to employees’ information security policy compliance. Differences in organizational culture with regards to control and flexibility seem to have less effect. The analysis shows that a bureaucratic form of organizational culture is most fruitful for fostering employees’ information security policy compliance. Research limitations/implications The results suggest that differences in organizational culture are important for employees’ information security policy compliance. This justifies further investigating the mechanisms linking organizational culture to information security compliance. Practical implications Practitioners should be aware that the different organizational cultures do matter for employees’ information security compliance. In businesses and the public sector, the authors see a development toward customer orientation and marketization, i.e. the opposite an internal focus, that may have negative ramifications for the information security of organizations. Originality/value Few information security policy compliance studies exist on the consequences of different organizational/information cultures.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.