SECURITY SUBCULTURES IN AN ORGANIZATION - EXPLORING VALUE CONFLICTS

Security culture is considered as an important factor in overcoming the problem with employees’ lack of compliance with Information Security (IS) policies. Within one organization different subcultures might transcribe to different and sometimes even conflicting, values. In this paper we study such value conflicts and their implications on IS management and practice. Shein’s (1999) model of organizational culture is used as a tool supporting analysis of our empirical data. We found that value conflicts exists between different security cultures within the same organization and that users anchor their values related to IS in their professional values. Thus our empirical results highlight value conflicts as an important factor to take into account when security culture is developed in an organization. Moreover, we found Shein’s model as a useful tool for analysis of value conflicts between different subcultures in an organization

The influence of organizational culture on the outcome of an IS implementation

A number of information system (IS) studies have adopted organizational culture (OC) theory to investigate IS implementations. The studies highlight that members will reach consensus or agreement in the use of an IS but also experience inevitable tensions and ambiguities in the use of the IS. However, literature related to IS implementation/OC has rarely examined the influence that the saliency of specific cultural practices may have on the success or failure of IS implementations. Using a case study approach, we adopted the “soft positivism” research philosophy to collect data, underpinned by Martin’s (1992) integration and differentiation perspectives of OC to study organizational implementation of an IS. These perspectives served as interpretive lenses through which to explain how members’ salient behaviors towards an IS evolved during the implementation process. Our study augments the IS implementation/OC literature by demonstrating how salient cultural practices influence the outcome of IS implementatio

Sub-cultures effect on Information security culture in an organization

This study investigates the influence of subcultures on information security culture with-in organizations. The research focuses on the cultural and policy dimensions of infor-mation systems security and aims to explore how subcultures within an organization affect information security culture. The study employes a qualitative case study ap-proach, conducting interviews with employees from different departments of a Norwe-gian IT consultant company. The findings reveal variations in information security ownership, knowledge and awareness, and work goals and challenges among departments. The study emphasizes the need for tailored information security measures that consider the unique characteris-tics of each department. Collaboration and knowledge sharing between departments are identified as crucial for improving information security understanding and alignment with work goals. Flexibility and adaptability in information security policies and rou-tines are recommended to strike a balance between security and operational efficiency. The study contributes to the understanding of information security culture and provides practical insights for organizations to enhance their practices and policies. Further re-search is suggested to explore subcultures related to information security, examine alignment between work goals and information security across departments, and inves-tigate the long-term impact of security measures on organizational outcomes. Despite limitations such as sample size and participant selection, this study provides empirical insights into the relationship between subcultures, information security culture, and or-ganizational dynamics

Information Security Subcultures in Information Security Management: A Conceptual Framework

The rationale behind an organization’s information system is to provide access to its information resources and services anywhere anytime over networks. This need creates issues of security in the management of the information systems. The information system approach is socio-technical by nature, involving people and processes as well as technologies; hence, the culture and characteristics of the organization are factors in effective information security management. This implies that the concept of information management is multi-dimensional and includes the human, organizational and technological dimensions. Stemming from this information security culture is considered as an important factor in the management of information security in an organization by overcoming the problem with employees’ lack of compliance with information security management initiatives. However the security culture of an organization is based on the different security subcultures of different sections or subsections that have its basis on the training backgrounds of the individuals and or different tasks performed by each of the groups or a combination of both. This paper addresses information security from the management point of view paying close attention to the information security subculture as seen in the organizations and looks into different methods that the security subcultures can be studied in relation to information security management. Keywords: Information security management system, organizational culture, information security culture, information security subculture

Exploring the Dynamics of Culture in the Roll-out and Adoption of eCollaboration Technology: A Case Study Comparison

Implementing eCollaboration technologies implies specific organizational challenges surrounding roll-out and adoption. IT adoption literature has researched the concept of culture and the notion of fit between IT and culture. However, in the context of eCollaboration technologies, cultural fit as a possible influence factor has not been explored sufficiently. Thus, we aim at closing this gap by exploring the role of culture in the roll-out and adoption of eCollaboration technologies. We present two cases of eCollaboration technology roll-out that contrast in the extent to which the technology was adopted. The cases were analyzed from a culture perspective. Although our results confirmed the relevance of cultural fit, they also revealed additional dimensions of the concepts of culture and cultural fit that should be investigated further. Our paper contributes to a better understanding of the nature of cultural influence in the organizational roll-out and adoption of eCollaboration technologies

The Behavioral Equivalence of Organizational Culture

Three decades of organizational cultural (OC) studies have seen change in both content and emphasis. This paper presents findings from an extensive review of literature on OC and highlights the relevance of OC with respect to individual, organizational, intra-organizational, industry and external environment related variables. The concept of organizational culture (OC) has traditionally focused on values and beliefs and has been considered to be relatively stable and enduring. But literature is less sanguine about the reciprocal evolution of culture through behaviors. This paper presents a behavioral perspective on OC and contributes to its emerging dynamic aspect. A behavioral model of OC is suggested and propositions are drawn to explain the dynamics involved.

"Not My Responsibility!" - A Comparative Case Study of Organizational Cybersecurity Subcultures

Despite significant technological advancements and the increasing sophistication of cyber- attacks in today’s modern society, organizations underestimate the human link in cybersecu- rity. Many still overlook that human behavior and decision-making are crucial in protecting sensitive information and mitigating risks. Organizations seemingly prioritize investigating time and resources into improving their technological cybersecurity measures rather than increasing the employees’ cybersecurity knowledge. These actions significantly impact the cybersecurity culture of the company. Cybersecurity culture refers to the shared values, beliefs, and actions of the employees in an organization that emphasize the importance of safeguarding digital assets, data, and systems against cyber threats. It encompasses the organization’s dedication, awareness, protocols, and ability to manage cybersecurity risks and promote a security-focused environment. Re- cent studies have primarily focused on discussing cybersecurity culture as a singular concept within an organization. This qualitative research aims to investigate the impact of cybersecurity subcultures within organizations. A systematic literature review was conducted to gain an overview of the existing theoretical background on cybersecurity subcultures. This process proved that there is a research gap in the topic of subcultures, as most of the current literature encompasses cybersecurity culture as a collective concept. Data was collected through semi-structured interviews with ten employees from two IT companies. Cybersecurity leaders from each company agreed that the sales and IT subcultures had the most significant differences; hence, employees from each subculture in both companies were interviewed. The results prove that the security leaders’ suspicions were correct. The sales subcultures need to gain more knowledge about cybersecurity. Cybersecurity measures are seen more as obstacles instead of improving their cybersecurity. There is also a significant need for more responsibility. They believe that someone better qualified will take care of their mistakes if they cause a cybersecurity incident. On the other hand, the IT subculture seems to understand cybersecurity better. They have comprehensive knowledge of the topic. However, they also share this uncertainty regarding responsibilities, stating they feel pressured to share their expertise with colleagues. This leaves them with limited time to complete their actual work tasks. They point to a lack of management responsibility as one of the critical reasons for this. This research sheds light on cybersecurity subcultures and challenges the notion that orga- nizations have only one cybersecurity culture. Organizations need to allocate their time and resources differently and acknowledge the significance of subcultures in maintaining overall cybersecurity. The findings and insights are meant to assist organizations in enhancing their cybersecurity operations and protocols

Conflicts, integration, hybridization of subcultures: An ecological approach to the case of queercore

This paper investigates the case study of queercore, providing a socio-historical analysis of its subcultural production, in the terms of what Michel Foucault has called archaeology of knowledge (1969). In particular, we will focus on: the self-definition of the movement; the conflicts between the two merged worlds of punk and queer culture; the \u201cinternal-subcultural\u201d conflicts between both queercore and punk, and between queercore and gay\lesbian music culture; the political aspects of differentiation. In the conclusion, we will offer an innovative theoretical proposal about the interpretation of subcultures in ecological and semiotic terms, combining the contribution of the American sociologist Andrew Abbot and of the Russian semiologist Jurij Michajlovi\u10d Lotma

Fostering Information Security Culture In Organizations: A Research Agenda

Information security is a major challenge for organizations due to the proliferation of digitization and constant connectivity. It is becoming widely accepted that raising an information security culture, meaning instilling security behaviour in people interacting with ICTs, is key to maintaining a healthy security posture. However the academic field of information security culture has been described as immature, lacks empirical validation, while the constituents of the concept as well as methods, tools, frameworks and metrics for fostering and evaluating it within organisations remain elusive. This pa- per, based on a critical analysis of relevant literature and practice, provides a research agenda of critical issues that need to be addressed so that users, from security’s weakest link, become an important actor for proactive information security. These issues include the need for proper and employable definitions of information security culture and the need to explore the existence of security subcultures, the need to develop frameworks, tools and metrics for guiding, evaluating and comparing security culture raising programs, the need to explore the interplay between organisational elements (including organisational structure, type and management practices) and security culture, the need to identify the impact of security culture in issues such as innovation adoption, the need to investigate the influence of national and organisational culture on security culture and so on