فرهنگ سازمانی، رویه اقدامات متقابل و رفتار امنیتی کارکنان: یک مطالعه کیفی Organisational Culture, Procedural Countermeasures,and Employee Security Behaviour: A Qualitative Study

1. Introduction Historically, organisations have emphasised a technological approach in order to protect the security of their information assets. However, as many attackers have started to include social means in their malicious efforts, e.g. social engineering, the need for a holistic approach in addressing information security issues has emerged. The domain of behavioural information security (InfoSec) research highlights the importance of taking into consideration the “human” element when ensuring information security throughout the organisation. Research and practice have shown that technical tools are powerless when it comes to the enforcement of behavioural rules such as password sharing, reporting of security incidents, adherence to a clear desk policy, and the secure disposal of confidential documents. Rather, compliance with these rules entirely depends on employees’ motivation to conform. Therefore, it is essential to understand factors that lead to compliant behaviour or that prompt employees to break organisational information security rules. This study provides new insights about security behaviour in selected U.S. and Irish organisations by investigating how organisational culture and procedural security countermeasures influence security actions. Crossler et al. (2013, p.90) note that “although a predominant weakness in properly securing information assets is the individual user within an organization, much of the focus of extant security research is on technical issues”. In response, our work takes its place amongst the small number studies to date that focus on behavioural as opposed to technical issues. Generally, Behavioural InfoSec research falls into two broad categories: (1) those that focus on the effects of cognitive processes on employee security behaviour (Bulgurcu et al., 2010), and (2) the effect of social controls (Cheng et al., 2013). This study concentrates on the latter. The two basic forms of social controls are formal and informal (Ross, 1896). Formal social controls refer to rules and regulations against deviant behaviour (Cheng et al., 2013). Organisational sanctions, rewards, security education and training, and information security policies are all forms of formal organisational controls.