سیاست های امنیت اطلاعات و مغایرت ارزش در شرکت های چند ملیتی Information security policies and value conflict in multinational companies

1. Introduction With the increasing number of security breaches, one of the main concerns of organizations is to ensure availability, integrity, and confidentiality of their systems and data. Organizations can use a variety of security policies to create an effective infrastructure and governance to reduce potential security breaches. Although a rich body of literature examines various aspects of security policies in organizations, information systems scholars have not paid the necessary attention from the cross-cultural perspective (Ford et al., 2003). In fact, research on crosscultural information security is considered as one of the most important future directions in the security literature (Crossler et al., 2013). In this paper, we focus our attention on this mostly neglected intersection of information security policies and culture research. More specifically, we aim to examine the challenges of enforcing security policies from parent companies to subsidiaries in a multinational company (MNC) context. The nature of multinational companies (MNCs) adds a layer of complexity to enforcing security policies, given cultural and organizational differences between parent and subsidiary companies. For instance, Abdul-Gader (1997) illustrated how the misconceptions of understanding about fate in the Islamic context and the technical capability of the Arab language are some of the issues that need to be considered by MNCs in Arab Gulf countries. One of the main benefits of successful diffusion of security policies is reducing the security breach risk of MNCs. Although MNCs can span across continents, the interconnectedness of information technology emphasizes the importance of enforcing security policies on subsidiaries. For instance, after a security breach or compromise of access rights at a subsidiary company, hackers can attack the parent company through privilege escalation or social engineering. However, when parent companies use policies as discourse to legitimize their practices, they create value pluralism either directly by imposing new values or indirectly by creating institutional pluralism. In the existence of value pluralism, organizational members are forced to consider the alternative or conflicting values in their routine decision-making process. This, in turn, decreases policy diffusion success and increases the risk of security breaches. What makes the diffusion of security policies different from the previously well-established research on MNCs and legitimization literature is the twofold change security policies bring; change in routines and change in technology. In other words, successful diffusion of security policies requires not only successful policy diffusion but also successful technology diffusion. Our goal is to make a unique contribution to the information security literature by highlighting potential issues during security policy diffusion within a MNC context and by providing recommendations to minimize value conflict resulting from this process. First, we discuss how information security policies can create value pluralism and institutional pluralism due to cultural and institutional distance between the parent company and its subsidiaries, and also due to the stickiness of security knowledge. Then we postulate that using security policies for discursive strategies, ambidexterity, and resource allocation can effectively decrease value conflict. In an essence, we emphasize that security policies should not only address the technical side of security but also provide solution for addressing potential value conflicts as individuals interpret these policies, especially in different cultural and institutional settings.