enforcing information security policies through cultural boundaries
enforcing information security policies through cultural boundaries
enforcing information security policies through cultural boundaries
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ENFORCING INFORMATION SECURITY POLICIES<br />
THROUGH CULTURAL BOUNDARIES:<br />
A MULTINATIONAL COMPANY APPROACH<br />
Yayla, Ali Alper, School of Management, PO Box 6000, Binghamton University-SUNY,<br />
Binghamton, NY, 13902, USA, ayayla@binghamton.edu<br />
Abstract<br />
Information <strong>security</strong> <strong>policies</strong> can be considered as guidelines and used as a starting point to create a<br />
<strong>security</strong> structure within an organization. Although practitioners continuously emphasize the<br />
importance of such <strong>policies</strong>, <strong>information</strong> system scholars have not paid the required attention to this<br />
context from the cross-<strong>cultural</strong> perspective. The purpose of this study is to look at the <strong>cultural</strong> and<br />
institutional differences of a multinational company (MNC) and its subsidiaries, and discuss how these<br />
differences affect the MNC’s strategy to enforce corporate <strong>information</strong> <strong>security</strong> <strong>policies</strong> to its<br />
subsidiaries in different <strong>cultural</strong> settings. The proposed framework considers the effects of the <strong>cultural</strong><br />
distance, national economy, institutional distance, and stickiness of the knowledge transfer on the<br />
process of <strong>enforcing</strong> <strong>information</strong> <strong>security</strong> <strong>policies</strong> from the parent company to its subsidiaries.<br />
Keywords: Information <strong>security</strong>, Information <strong>security</strong> policy, Cultural distance, Institutional distance,<br />
Knowledge transfer, Stickiness
1 Introduction<br />
Today, ensuring availability, integrity and confidentiality of <strong>information</strong> and data concerns many<br />
organizations. Deterrence can be one of the initial steps that organizations can take to ensure<br />
<strong>information</strong> <strong>security</strong> (Straub and Welke, 1998). However, successful deterrence depends on<br />
organization’s ability to control its environment with respect to internal and external threats.<br />
Information <strong>security</strong> <strong>policies</strong> define the nature of these controls (i.e., technical, formal and informal<br />
controls) and how these controls complement each other (Dhillon, 1999).<br />
Moreover, <strong>security</strong> <strong>policies</strong> govern how organizations’ <strong>information</strong> should be protected (Kabay, 2002;<br />
Barman, 2002). Whitman (2004) posits that a good <strong>security</strong> policy needs to “outline individual<br />
responsibilities, define authorized and unauthorized uses of the systems, provide venues for employee<br />
reporting of identified or suspects threats to the system, define penalties for violations, and provide a<br />
mechanism for updating policy” (p.52). Enforcing corporate <strong>security</strong> <strong>policies</strong> has been reported as one<br />
of the most effective ways to prevent or reduce electronic crime (Gordon et al., 2004). Overall,<br />
<strong>security</strong> <strong>policies</strong> can be considered as guidelines and can be used as a starting point for creating a<br />
<strong>security</strong> structure within an organization (Whitman, 2004).<br />
The nature of multinational companies (MNCs) adds a layer of complexity to <strong>enforcing</strong> <strong>security</strong><br />
<strong>policies</strong> because MNCs need to consider the effects of different <strong>cultural</strong> and organizational settings<br />
and integrate these in their corporate <strong>security</strong> <strong>policies</strong>. Basing his arguments on Hofstede’s <strong>cultural</strong><br />
dimensions, Abdul-Gader (1997) emphasized culture as one of the most important environmental<br />
factors that MNCs should consider while adopting global Information Systems (IS) <strong>policies</strong> in Arab<br />
Gulf countries. He postulated that misconceptions of understanding about fate in the Islamic context<br />
and the technical capability of the Arab language are some of the issues that need to be considered by<br />
MNCs. However, management practices do not have to be different just because subsidiaries and<br />
parent company are in different countries and <strong>cultural</strong> settings. In their study, for instance, Anakwe et<br />
al. (2000) concluded that organizational support enhances microcomputer usage in Nigeria. Their<br />
result found support in other studies which demonstrated that similar management practices can be<br />
effective in different <strong>cultural</strong> settings (Igbaria, et al. 1995; Igbaria, 1992).<br />
Although practitioners continuously emphasize the importance of <strong>security</strong> <strong>policies</strong>, IS scholars have<br />
not paid the required attention to this context from the cross-<strong>cultural</strong> perspective. For instance, in their<br />
citation analysis of IS articles, Ford et al. (2003) found 57 articles about various contexts of IS that<br />
cited Hofstede’s research on national culture. Further analyses showed that IS Management area led<br />
with 25 articles. Within this research stream, however, no study cited Hofstede’s work in the IS Risk<br />
Management context.<br />
We aim to fulfil this gap by looking at <strong>cultural</strong> and institutional differences of an MNC and its<br />
subsidiaries and by investigating how these differences affect the MNC’s strategy to enforce corporate<br />
<strong>security</strong> <strong>policies</strong> to its subsidiaries in different <strong>cultural</strong> settings. More specifically, we will discuss<br />
<strong>cultural</strong> distance, institutional distance, and the stickiness of the knowledge transfer and offer series of<br />
propositions. Our goal is to make a unique contribution to the IS <strong>security</strong> literature by focusing on the<br />
issues to be considered while <strong>enforcing</strong> <strong>information</strong> <strong>security</strong> <strong>policies</strong> within the MNC framework.<br />
2 Theoretical Framework<br />
According to Minbaeva et al. (2003), MNCs can develop knowledge in one location and exploit it in<br />
another location <strong>through</strong> internal transfer of knowledge. One way of creating competitive advantage<br />
for MNCs is effectively sharing organizational practices (Jensen and Szulanski, 2004). For example, in<br />
the strategy literature, organizational practices and routines are considered as important sources of
competitive advantage since these assets are difficult to replicate (Jensen and Szulanski, 2004).<br />
Considering that organizational know-how is an important part of a MNC’s global integration strategy,<br />
its competitive advantage partly resides in the effectiveness of sharing these practices and routines.<br />
MNCs are generally under different external and internal pressures. Externally, MNCs have to<br />
consider the institutional, <strong>cultural</strong>, and economic environments in multiple countries and have to be<br />
isomorphic with the local institutional environment to maintain their legitimacy (Kostova and Roth,<br />
2002). Establishing and maintaining legitimacy in their multiple host environments is critical for<br />
companies that span various countries (Kostova and Zaheer, 1999). Internally, MNCs have to create<br />
consistency among their subsidiaries by leveraging activities worldwide to retain their competitive<br />
advantages (Kostova and Roth, 2002).<br />
We postulate that the process of <strong>enforcing</strong> <strong>information</strong> <strong>security</strong> <strong>policies</strong> to subsidiary companies<br />
would be affected by the <strong>cultural</strong> and institutional distances between the parent company and the<br />
subsidiary company. Moreover, the stickiness of the <strong>information</strong> <strong>security</strong> context would further affect<br />
this process. Figure 1 presents the framework of our study.<br />
Parent<br />
Company<br />
Cultural<br />
Distance<br />
Stickiness<br />
Institutional<br />
Distance<br />
Enforcing Information Security Policies<br />
Subsidiary<br />
Company<br />
Figure 1: The proposed framework for <strong>enforcing</strong> <strong>information</strong> <strong>security</strong> <strong>policies</strong> in multinational<br />
companies<br />
The main goal of <strong>information</strong> <strong>security</strong> <strong>policies</strong> is to provide a set of rules and guidelines to protect the<br />
organization from <strong>security</strong> breaches. Under the umbrella of this goal, organizations can have variety of<br />
<strong>security</strong> <strong>policies</strong> addressing different issues such as identification and authorization, Internet access,<br />
contingency planning, and even social networking. Although MNCs can span across continents, the<br />
interconnectedness of IT emphasizes the importance of <strong>enforcing</strong> <strong>information</strong> <strong>security</strong> <strong>policies</strong> on<br />
subsidiaries by the parent companies. Such that, a <strong>security</strong> breach or comprise of access rights at the<br />
subsidiary company can easily target the parent company <strong>through</strong> privilege escalation or social<br />
engineering.<br />
While transferring the actual <strong>information</strong> <strong>security</strong> <strong>policies</strong> consists of a simple process of sending the<br />
<strong>policies</strong> to the subsidiary companies, it is the implications of adhering with the requirements of such<br />
<strong>policies</strong> that create the difficulties in <strong>enforcing</strong> them. Security <strong>policies</strong> have unique features that<br />
separate them from other management practices. For instance, where a human resources practice<br />
focuses on recruiting, compensation, and performance appraisal, <strong>security</strong> <strong>policies</strong> can outline<br />
configuration of intrusion detection systems, management of cryptography keys, and designing secure<br />
infrastructure. Thus, in addition to traditional difficulties as a result of differences in norms, ethics and<br />
values, the technical requirements embedded in <strong>information</strong> <strong>security</strong> <strong>policies</strong> create the unique<br />
challenges in transferring and <strong>enforcing</strong> these <strong>policies</strong> to subsidiaries.
2.1 National Culture and Cultural Distance<br />
Various cross-<strong>cultural</strong> studies reported that there is a certain level of <strong>cultural</strong> coherence within the<br />
majority of nations (Hofstede and Peterson, 2000). The concepts that describe a nation’s culture can be<br />
derived from Hofstede’s (1980) study across 40 nations. The proposed four culture dimensions from<br />
his study are power distance, individualism versus collectivism, masculinity versus femininity, and<br />
uncertainty avoidance. The <strong>cultural</strong> distance (Kogut and Singh, 1988) is derived as a composite index<br />
from Hofstede’s culture dimensions and widely used in international business and various other<br />
business disciplines (Shenkar, 2001). Literature suggests that the <strong>cultural</strong> distance can affect various<br />
organizational level decisions including choice of entry mode of the MNC (Kogut and Singh, 1988),<br />
performance of alliances (Sirmon and Lane, 2004), distributed justice values (Giacobbe-Miller et al.,<br />
2003), and human resources management practices (Liu, 2004). These studies conclude that <strong>cultural</strong><br />
dimensions and <strong>cultural</strong> distance index have a central role in MNCs’ global strategy.<br />
The <strong>cultural</strong> dimensions have substantial importance in the success of <strong>enforcing</strong> <strong>security</strong> <strong>policies</strong> from<br />
the parent company to its subsidiaries as well. From the power distance perspective, it is important to<br />
look at the effects of restrictions outlined in <strong>security</strong> <strong>policies</strong>. Access controls, for example, can be<br />
considered as an effective measurement that is enforced by certain <strong>security</strong> <strong>policies</strong>. These controls<br />
restrict users from series of actions such as downloading files from the Internet, installing programs,<br />
and accessing certain parts of a computer network (Barman, 2002; Wakefield, 2004; Kabay, 2002).<br />
With respect to <strong>enforcing</strong> <strong>security</strong> <strong>policies</strong>, these restrictions may be problematic in high power<br />
distance cultures because adoption of power reducing technologies would be limited in such cultures<br />
(Straub et al., 1997).<br />
Hofstede (1980, 1997, 2001) posits that masculine societies put more stress on careers. This may lead<br />
masculine societies being performance oriented. Therefore, any technological or policy-based change<br />
in organizations that may hinder performance would create conflicts in masculine societies.<br />
Technologies outlined in <strong>security</strong> <strong>policies</strong> such as firewalls, antivirus programs, and passwords are<br />
generally considered as having negative effects on performance (Bace, 2002; Barman, 2004; Brussin,<br />
2002; Cobb, 2002; Sandhu, 2002). Therefore, <strong>enforcing</strong> <strong>security</strong> <strong>policies</strong> to masculine societies may<br />
compromise certain drawbacks.<br />
Moreover, <strong>security</strong> <strong>policies</strong> reduce ambiguity by outlining certain rules and procedures. The salience<br />
of these <strong>policies</strong> depends on the society’s level of uncertainty. Weak uncertainty avoidance societies<br />
are in favor of less formalization and standardization, whereas in strong uncertainty avoidance<br />
societies, there is an emotional need for rules (Hofstede, 1997). Therefore, this <strong>cultural</strong> dimension also<br />
has an impact on <strong>enforcing</strong> <strong>security</strong> <strong>policies</strong> to subsidiaries.<br />
Furthermore, <strong>security</strong> <strong>policies</strong> may require actions such as monitoring e-mail messages, recording<br />
keystrokes and collecting private data (Levine, 2002). Similarly, these <strong>policies</strong> may outline procedures<br />
for disciplining computer abusers in organizations (Barman, 2002). The tolerance level for these issues<br />
may differ across societies with respect to the individualism/collectivism dimension. Considering that<br />
<strong>cultural</strong> distance index captures the effects of all four <strong>cultural</strong> dimensions, MNCs that have big<br />
differences in this index compared to their subisidiaries would require different approaches in<br />
<strong>enforcing</strong> <strong>security</strong> <strong>policies</strong>. This leads to our first proposition;<br />
P1a: High <strong>cultural</strong> distance between the parent company and its subsidiaries will have a negative<br />
effect on the process of <strong>enforcing</strong> <strong>information</strong> <strong>security</strong> <strong>policies</strong> to the subsidiary companies.<br />
According to Hofstede and Peterson (2000) and Hofstede (2001) the <strong>cultural</strong> dimensions are useful<br />
and essential, however, they provide only limited detail. Gross national product, given as an example,<br />
often matters more than national culture in the national difference context. Parallel to this line of
thought, digital divide may be considered as an important factor in <strong>enforcing</strong> <strong>security</strong> <strong>policies</strong> to<br />
subsidiaries. Some of the limited examples on digital divide point out the potential effects of<br />
differences in national economies. For example, Dewan et al. (2004) demonstrated the importance of<br />
digital divide on cross-<strong>cultural</strong> IT penetration. Checchi et al. (2003) posited that governments play a<br />
central role in the implementation of IT <strong>policies</strong>. However, in less developed countries, the role of<br />
governments becomes more salient, as regional agencies, such as industrial/professional associates and<br />
international agencies step up into the policy making stage. In another study, Ehikamenor (2002)<br />
posited that some of the important factors that inhibit the application of <strong>information</strong> and<br />
communication technologies in Nigeria are inflation, low GDP, and exchange rates.<br />
Moreover, <strong>enforcing</strong> <strong>security</strong> <strong>policies</strong> in less developed countries would be problematic in terms of<br />
meeting the requirements of such <strong>policies</strong>. One problem is the availability of skilled IT staff.<br />
Organizations in less developed countries may not have enough human resources or capital to train<br />
their IT staff to meet the requirements. Another problem is the availability of necessary technology.<br />
For instance, required hardware and software products may not be available in less developed<br />
countries. These issues concerning countries’ economic viability lead us to our next proposition;<br />
P1b: Differences in the national economy of the parent company and its subsidiaries will have a<br />
negative effect on the process of <strong>enforcing</strong> <strong>information</strong> <strong>security</strong> <strong>policies</strong> to the subsidiary<br />
companies.<br />
2.2 Institutional Theory and Institutional Distance<br />
The institutional theory (Scott, 1995) considers the institutional environment as the key determinant of<br />
the firm structure and its behavior. In their review of the institutional theory, Xu and Shenkar (2002)<br />
discussed that the theory has been supported in unitary and domestic environments and received less<br />
support in more complex environments where different institutional demands exist and where strategic<br />
choices are important. One of the research streams in this literature involves the interorganizational<br />
issues. This stream of research is critical from MNCs’ perspective since these companies feel pressure<br />
from two different sides: global integration and local orientation (Westney, 1983). This dual pressure<br />
is also discussed by Rosenzweig and Singh (1991) as the subsidiaries of a multinational enterprise try<br />
to keep the isomorphism with their local environments and at the same time keep the internal<br />
consistency within the enterprise. Gomez and Werner (2004) also considered the effects of double<br />
sided pressure on MNCs and investigated how similarities in management styles of parent and<br />
subsidiary companies have an effect on the performance of the subsidiaries. This study has the<br />
advantage of having all the subsidiaries in one country, and therefore, substituting the potential<br />
confounding effect of national culture. Their results were consistent with the literature and emphasized<br />
the point that management styles should be congruent with the national culture in which the subsidiary<br />
resides.<br />
Scott (1995) defined three pillars of the institutional theory as regulative pillar - the rules and laws to<br />
ensure stability of societies, normative pillar - the similarities between the value creation of<br />
organizations and the societal values, and cognitive pillar - the degree of consistency between<br />
organizations and existing structures of the society (Kostova and Zaheer, 1999; Busenitz et al., 2000).<br />
Following this framework, Kostova (1996, 1999) developed the institutional distance construct. The<br />
institutional distance can be considered as an alternative explanation of MNC behavior to the <strong>cultural</strong><br />
distance. The institutional distance is the extent of dissimilarities between host and home<br />
organizations. In other words, it is the difference among the regulatory, normative and cognitive<br />
institutions of two countries (Kostova, 1996). According to the findings of Kostova and Zaheer<br />
(1999), the larger the institutional distance, the more difficult it is for the MNC to establish and<br />
maintain its legitimacy in the host country. Another effect of institutional distance is on the recipient’s
(subsidiary) motivation. On their study, Jensen and Szulanski (2004) found significant negative<br />
relationship between the institutional distance and the recipient’s motivation.<br />
Kostova and Roth (2002) further refined Scott’s (1995) three pillars to introduce the concept of<br />
institutional profile. They posited that the institutional profile of a host country may affect the<br />
adoption of practices at a foreign subsidiary <strong>through</strong> “the direct institutional pressure on the subsidiary<br />
to adopt the practice” (p. 217). Adoption of practices may also be accomplished <strong>through</strong> subsidiary’s<br />
employees since institutional theorists advocate that people in organizations are sources of the<br />
institutional elements. As discussed, subsidiaries experience institutional duality because they feel<br />
pressure to reside in parent company’s institutional environment and also to create isomorphism with<br />
their own environment. Kostova and Roth (2002) discuss that this relational context between the<br />
parent and subsidiary company also influences the adoption of practices.<br />
These institutional factors are considered in the IS literature as well. For instance, Munir (2002)<br />
discussed the normative and cognitive factors within the technology transfer context. He defined three<br />
aspects of technology transfer: choosing the right technology, developing managerial and technical<br />
expertise, and accommodating technology into the organization. From the <strong>security</strong> <strong>policies</strong> and MNC<br />
perspective, the last aspect carries more weight. In most cases, <strong>security</strong> <strong>policies</strong> are supported with<br />
technological infrastructure such as use of firewalls, intrusion detection systems, etc. The normative<br />
influences will require managerial control when more knowledge-intensive technology is being<br />
imported to environments characterized by less knowledge-intensive technology since complex<br />
technologies tend to conflict with existing management practices (Munir, 2002; Hansen et al., 1999).<br />
Overall, <strong>security</strong> <strong>policies</strong> have to fit to the existing institutional character of the organizations in order<br />
to be successfully enforced. Since <strong>security</strong> <strong>policies</strong> outline several practices such as disciplining<br />
computer abusers, participation to formal training and awareness programs, regular third party audits<br />
and several new hardware and software implementations (Barman, 2002; Siponnen, 2000; Thomson<br />
and von Solms, 1998), a misfit between subsidiaries’ regulatory environment and requirements of the<br />
parent company’s <strong>security</strong> <strong>policies</strong> will be problematic. Similar to these arguments, Hu et al. (2007)<br />
reported the effect of all three institutional forces on the initiatives to implement <strong>information</strong> systems<br />
<strong>security</strong> practices and protocols in a MNC. This leads to our next proposition;<br />
P2: High institutional distance between the parent company and its subsidiaries will have a negative<br />
effect on the process of <strong>enforcing</strong> <strong>information</strong> <strong>security</strong> <strong>policies</strong> to the subsidiary companies.<br />
2.3 Stickiness and Knowledge Transfer Process<br />
During the knowledge transfer, parent companies recreate the complex and ambiguous routines in new<br />
settings. Szulanski (1996) argues that stickiness of organizational practices increases the difficulties of<br />
the transfer process. Prior research suggests four issues as important factors that contribute to the<br />
difficulty of knowledge transfer; characteristics of the knowledge transferred, characteristics of the<br />
source, characteristics of the recipient, and characteristics of the context (Szulanski, 1996). After<br />
studying 122 knowledge transfers with respect to these four characteristics, Szulanski (1996)<br />
concluded that the origins of stickiness are the lack of absorptive capacity of the recipient, causal<br />
ambiguity, and the arduous relationship between the source and the recipient.<br />
In their study, Ko et al. (2005) investigated the antecedents of knowledge transfer from consultants to<br />
clients in enterprise system implementations. The data were gathered from 96 enterprise resource<br />
planning projects including 80 client organizations and 38 consulting firms. The antecedents were<br />
grouped into three factors: communication, knowledge and motivational. Their results were also<br />
parallel to Szulanski’s findings. Additional to knowledge factors such as arduous relationship,<br />
absorptive capacity and shared understanding, Ko et al. (2005) found that direct effects of both
source’s and recipient’s intrinsic motivations, source credibility and indirect effects of communication<br />
encoding and decoding competence are also important determinants of the knowledge transfer.<br />
Current understanding of transfer process suggests four stages: initiation, implementation, ramp-up<br />
and integration. Szulanski (2000) posits that organizations experience different types of stickiness in<br />
each stage. His findings show that motivation and perceived reliability are important factors during<br />
the first three stages, and absorptive capacity and causal ambiguity are important predictors of<br />
stickiness when all the stages are put together and the knowledge transfer is considered as a whole.<br />
In the context of <strong>information</strong> <strong>security</strong>, the effect of stickiness will be most visible on the technological<br />
requirements of <strong>security</strong> <strong>policies</strong>. Configurations of hardware and software programs for large scale<br />
networks require advanced knowledge and experience. This type of knowledge is considered tacit and<br />
therefore hard to document, replicate or transfer. Moreover, slightly different configurations of<br />
computers may prevent adaptation of the same solution in different computer networks. Considering<br />
this “local” solution issue and the tacitness of <strong>information</strong> <strong>security</strong> context, transferring <strong>security</strong><br />
<strong>policies</strong> from one organization to another would be considered as sticky. This leads to our last<br />
proposition.<br />
P3: The stickiness of the <strong>information</strong> <strong>security</strong> practices will have a negative effect on the process of<br />
<strong>enforcing</strong> <strong>information</strong> <strong>security</strong> <strong>policies</strong> to the subsidiary companies.<br />
3 Discussion<br />
While <strong>information</strong> <strong>security</strong> and globalization can be considered as two sides of the same coin, the lack<br />
of cross-<strong>cultural</strong> studies in the <strong>information</strong> <strong>security</strong> literature is worrisome. Our goal is to provide a<br />
framework as a starting point to fulfil this important gap. This study focuses on the <strong>cultural</strong> and<br />
institutional differences of MNCs and their subsidiaries and outlines how these differences affect the<br />
MNCs’ strategy to enforce <strong>information</strong> <strong>security</strong> <strong>policies</strong> to their subsidiaries in different <strong>cultural</strong><br />
settings.<br />
Regarding the <strong>cultural</strong> differences, we proposed that high <strong>cultural</strong> distance will have a negative effect<br />
on the process of <strong>enforcing</strong> <strong>security</strong> <strong>policies</strong> to the subsidiaries. Parallel to this, we also proposed that<br />
differences in national economy and high institutional distance will have negative effects on this<br />
process as well. Lastly, we proposed that the stickiness of the IS <strong>security</strong> context will have an<br />
inherited detrimental effect on the efforts of <strong>enforcing</strong> these <strong>policies</strong>. The practical implications of the<br />
study are also vital. For instance, neglecting the <strong>cultural</strong> and institutional differences may result in loss<br />
of resources, high employee turnover, and even increased <strong>security</strong> breaches. Moreover, if it is not<br />
executed properly, the transfer of such <strong>policies</strong> may increase the dual pressure on the subsidiary,<br />
which in return may hinder their performance. Table 1 outlines these factors and how they relate to<br />
MNCs’ efforts in <strong>enforcing</strong> <strong>information</strong> <strong>security</strong> <strong>policies</strong> to their subsidiaries.<br />
One limitation of the study is the fact that the business context of the MNC may affect the salience of<br />
the <strong>information</strong> <strong>security</strong> <strong>policies</strong>. Companies in certain industries may need more <strong>security</strong> than others<br />
to protect their company specific <strong>information</strong> such as patents, source codes, manufacturing processes,<br />
etc. On the other hand, this study opens many directions for future research. One direction can be the<br />
investigation of the subsidiary absorptive capacity. As discussed above, Szulanski (1996) posits that<br />
the lack of absorptive capacity is one of the most important impediments to knowledge transfer.<br />
Minbaeva et al. (2003) also found significant relation between the absorptive capacity of the<br />
subsidiary and the knowledge transfer within the MNC. Future studies can consider either controlling<br />
the effect of subsidiary’s capacity or including the effects of capacity into the context.
Cultural factors<br />
Sample requirements from<br />
<strong>information</strong> <strong>security</strong> <strong>policies</strong><br />
Power distance Access control to certain files<br />
Uncertainty avoidance Regular <strong>security</strong> audits<br />
Masculinity/Femininity Use of anti-virus software<br />
Individualism/Collectivism Use of computer monitoring<br />
National economy<br />
Institutional factors<br />
Regulative<br />
Implementation of advanced hardware<br />
or software<br />
Certain level of encryption required for<br />
storing confidential <strong>information</strong><br />
Normative Security certification<br />
Cognitive Skilled employee<br />
Stickiness<br />
Security of wireless infrastructure<br />
Potential issues<br />
In high power distance cultures, it is<br />
harder for IT employees to limit<br />
managers’ rights.<br />
Subsidiaries that are in low uncertainty<br />
cultures can have harder time to comply<br />
with rigid requirements of the parent<br />
company.<br />
Adoption of performance hindering<br />
software can be problematic in high<br />
masculinity cultures due to their focus on<br />
career advancement.<br />
Monitoring employee behavior can result<br />
in negative effect on employee morale,<br />
satisfaction, and performance in<br />
subsidiaries that reside in individualistic<br />
cultures.<br />
Availability of hardware and localization<br />
of software can be limited for subsidiaries<br />
that reside in developing or undeveloped<br />
countries.<br />
Countries of the subsidiaries can lack the<br />
regulations that exist in the parent<br />
company’s country.<br />
Lack of availability of certain<br />
certifications or institutions in<br />
subsidiaries’ countries can limit<br />
subsidiaries to conform with normative<br />
factors.<br />
Lack of education in computer science and<br />
related fields in the subsidiaries’ country<br />
can limit the efforts to comply with the<br />
requirements of the <strong>security</strong> policy.<br />
Designing a secure and reliable wireless<br />
network requires unique considerations<br />
such as interference from the environment,<br />
size and shape of the buildings, etc. Due to<br />
these localized differences, achieving<br />
success using the same solution can be<br />
limited.<br />
Table 1. Factors that affect MNCs’ efforts in <strong>enforcing</strong> <strong>information</strong> <strong>security</strong> <strong>policies</strong> to their<br />
subsidiary companies.<br />
Another opportunity to take this study one step further is to investigate the effect of the MNC’s<br />
structure. Barlett and Ghosahal’s (1999) work introduced four different models of MNC:<br />
multinational, international, global and transnational. Each model has different configuration of assets<br />
and capabilities, role of foreign subunits, and development and diffusion of knowledge (Kostova and<br />
Roth, 2003). Therefore, the effectiveness of <strong>enforcing</strong> <strong>information</strong> <strong>security</strong> <strong>policies</strong> can be contingent
on the different characteristics of these four configuration models. In order to test the propositions and<br />
conduct the suggested future studies, a case study can be conducted to a multinational company with<br />
subsidiaries in different <strong>cultural</strong>, economical, and institutional settings.<br />
References<br />
Abdul-Gader, A.H. (1997). Information systems strategies for multinational companies in Arab Gulf<br />
countries. International Journal of Information Management, 17(1), 3-12.<br />
Anakwe, U.P., Igbaria, M. and Anandarajan, M. (2000). Management practices across cultures: Role<br />
of support in technology usage. Journal of International Business Studies, 31(4), 653-666.<br />
Bace, R.G. (2002). Vulnerability assessment and intrusion detection systems. In S. Bosworth and M.<br />
E. Kabay (Eds.), Computer Security Handbook. 4th ed. New York: John Wiley & Sons, Inc.<br />
Bartlett, C.A. and Ghoshal, S. (1989). Managing Across Borders: The Transnational Solution. Boston:<br />
Harvard Business School Press.<br />
Barman, S. (2002). Writing Information Security Policies. Indianapolis: New Riders.<br />
Busenitz, L.W., Gomez, C. and Spencer, J.W. (2000). Country institutional profiles: Unlocking<br />
entrepreneurial phenomena. Academy of Management Journal, 43(5), 994-1003.<br />
Brussin, D. (2002). Firewall and proxy servers. In S. Bosworth and M. E. Kabay (Eds.), Computer<br />
Security Handbook. 4th ed. New York: John Wiley & Sons, Inc.<br />
Checchi, R.M., Po-An Hsieh, J.J. and Straub, D.W. (2003). Public IT <strong>policies</strong> in less developed<br />
countries: A critical assessment of the literature and a reference fFramework. Journal of Global<br />
Information Technology Management, 6(4), 45-64.<br />
Cobb, C. (2002). Antivirus technology. In S. Bosworth and M. E. Kabay (Eds.), Computer Security<br />
Handbook. 4th ed. New York: John Wiley & Sons, Inc.<br />
Dewan, S., Ganley, S. and Kraemer, K.L. (2004). Across the digital divide: A cross-country analysis<br />
of the determinants of IT penetration. Personal Computing Industry Center, UC Irvine.<br />
Dhillon, G. (1999). Managing and controlling computer misuse. Information Management &<br />
Computer Security, 7(4), 171.<br />
Ehikhamenor, F.A. (2002). Socio-economic factors in the application of <strong>information</strong> and<br />
communication technologies in Nigerian print media. Journal of the American Society for<br />
Information Science and Technology, 53(7), 602-611.<br />
Ford, D.P., Connelly, C.E. and Meister, D.B. (2003). Information systems research and Hofstede’s<br />
Culture’s Consequences: An uneasy and incomplete partnership. IEEE Transactions on<br />
Engineering Management, 50(1), 8-25.<br />
Giacobbe-Miller, J.K., Miller, D.J., Zhang, W. and Victorov, V.I. (2003). Country and organizationallevel<br />
adaptation to foreign workplace ideologies: a comparative study of distributive justice values<br />
in China, Russia and the United States. Journal of International Business Studies, 34, 389-406.<br />
Gomez, C. and Werner, S. (2004). The effect of institutional and strategic forces on management style<br />
in subsidiaries of U.S. MNCs in Mexico. Journal of Business Research, 57(10), 1135-1144.<br />
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Richardson, R. (2004). 2004 CSI/FBI Computer Crime<br />
and Security Survey.<br />
Hansen, M., Nohria, N. and Tierney, T. (1999). What’s your strategy for managing knowledge?<br />
Harvard Business Review, 106-116.<br />
Hofstede, G. (1980). Culture's Consequences: International Differences in Work Related Values.<br />
Beverly Hills, CA: Sage.<br />
Hofstede, G. (1997). Cultures and Organizations: Software of the Mind. New York: McGraw Hill.<br />
Hofstede, G. (2001). Culture's Consequences: International Differences in Work Related Values. 2nd<br />
ed. Thousand Oaks, Ca: Sage.<br />
Hofstede, G. and Peterson, M.F. (2000). National culture and organization culture. In N. Ashkanasy,<br />
C. Wilderom, and M. F. Peterson (Eds.), Handbook of Organizational Culture and Climate: 401-<br />
415. Thousan Oaks, CA: Sage.
Hu, Q., Hart, P. and Cooke, D. (2007). The role of external and internal influences on <strong>information</strong><br />
systems <strong>security</strong> – A neo-institutional perspective. Journal of Strategic Information Systems, 16,<br />
153-172.<br />
Igbaria, M. (1992). An examination of microcomputer usage in Taiwan. Information and<br />
Management, 22, 19-28.<br />
Igbaria, M., Tor, G. and Gordon, B.D. (1995). Testing the determinants of microcomputer usage via a<br />
structural equation model. Journal of Management Information Systems, 13(1), 127-143.<br />
Jensen, R. and Szulanski, G. (2004). Stickiness and the adaptation of organizational practices in crossborder<br />
knowledge transfers. Journal of International Business Studies, 35(6), 508-523.<br />
Kabay, M.E. (2002). Developing <strong>security</strong> <strong>policies</strong>. In S. Bosworth and M. E. Kabay (Eds.), Computer<br />
Security Handbook. 4th ed. New York: John Wiley & Sons, Inc.<br />
Ko, D., Kirsch, L.J. and King, W.R. (2005). Antecedents of knowledge transfer from consultants to<br />
clients in enterprise system implementations. MIS Quarterly, 29(1), 59-85.<br />
Kogut, B. and Singh, H. (1988). The effect of national culture on the choice of entry mode. Journal of<br />
International Business Studies, 19(3), 411-431.<br />
Kostova, T. (1996). Success of the transnational transfer of organizational practices within<br />
multinational companies. University of Minnesota, Minneapolis.<br />
Kostova, T. (1999). Transnational transfer of strategic organizational practices: A contextual<br />
perspective. Academy of Management Review, 24(2), 308-324.<br />
Kostova, T. and Roth, K. (2002). Adoption of an organizational practice by subsidiaries of<br />
multiniational corporations: institutional and relational effects. Academy of Management Journal,<br />
45(1), 215-233.<br />
Kostova, T. and Roth, K. (2003). Social capital in multinational corporations and a micro-macro<br />
model of its formulation. Academy of Management Review, 28(2), 297-317.<br />
Kostova, T. and Zaheer, S. (1999). Organizational legitimacy under conditions of complexity: The<br />
case of the multinational enterprise. Academy of Management Review, 24(1), 64-81.<br />
Levine, D. E. (2002). Monitoring and control systems. In S. Bosworth, & M. E. Kabay (Eds.),<br />
Computer Security Handbook. 4th ed. New York: John Wiley & Sons, Inc.<br />
Liu, W. (2004). The cross-national transfer of HRM practices in MNCs: An integrative research<br />
model. International Journal of Manpower, 25(6), 500-517.<br />
Minbaeva, D., Pederson, T., Bjorkman, I., Fey, C.F. and Park, H.J. 2003. MNC knowledge transfer,<br />
subsidiary absorptive capacity, and HRM. Journal of International Business Studies, 34, 586-599.<br />
Munir, K.A. (2002). Being different: How normative and cognitive aspects of institutional<br />
environments influence technology transfer. Human Relations, 55(12), 1403-1428.<br />
Pavlia, P.C. (1998). Research issues in global <strong>information</strong> technology management. Information<br />
Resource Management Journal, 11(2), 27-36<br />
Rosenzweig, P.M. and Singh, J.V. (1991). Organizational environments and the multinational<br />
enterprise. Academy of Management Review, 16(2), 340-361.<br />
Sandhu, R. (2002). Identification and authentication. In S. Bosworth, & M.E. Kabay (Eds.), Computer<br />
Security Handbook. 4th ed. New York: John Wiley & Sons, Inc.<br />
Scott, W.R. (1995). Institutions and Organizations. Thousand Oaks; CA: SAGE.<br />
Shenkar, O. (2001). Cultural Distance Revisited: Towards a more rigorous conceptualization and<br />
measurement of <strong>cultural</strong> differences. Journal of International Business Studies, 32(3), 519-535.<br />
Siponen, M.T. (2000). Critical analysis of different approaches to minimizing user-related faults in<br />
<strong>information</strong> systems <strong>security</strong>: implications for research and practice. Information Management &<br />
Computer Security, 8(5), 197-209.<br />
Sirmon, D.G. and Lane, P.J. (2004). A model of <strong>cultural</strong> differences and international alliance<br />
performance. Journal of International Business Studies, 35(5), 306-319.<br />
Straub, D., Keil, M. and Brenner, W. (1997). Testing the technology acceptance model across cultures:<br />
A three country study. Information and Management, 33, 1-11.<br />
Straub, D.W. and Welke, J.R. (1998). Coping with systems risk: Security planning models for<br />
management decision making. MIS Quarterly, 22(4), 441.
Szulanski, G. (1996). Exploring internal stickiness: Impediments to the transfer of best practice within<br />
the firm. Strategic Management Journal, 17, 27-43.<br />
Szulanski, G. (2000). The Process of Knowledge Transfer: A diachronic analysis of stickiness.<br />
Organizational Behavior and Human Decision Processes, 82(2), 9-27.<br />
Thompson, M.E. and von Solms, B. (1998). Information <strong>security</strong> awareness: Educating our users<br />
effectively. Information Management & Computer Security, 6(4), 167-173.<br />
Wakefield, R.L. (2004). Network <strong>security</strong> and password <strong>policies</strong>. The CPA Journal, 74(7), 6.<br />
Westney, D.E. (1993). Institutionalization Theory and the Multinational Corporation. New York: St.<br />
Martin's Press.<br />
Whitman, M.E. (2004). In defense of the realm: Understanding the threats to <strong>information</strong> <strong>security</strong>.<br />
International Journal of Information Management, 24, 43-57.<br />
Xu, D. and Shenkar, O. (2002). Institutional distance and the multinational enterprise. Academy of<br />
Management Review, 27(4), 608-618.