enforcing information security policies through cultural boundaries

ENFORCING INFORMATION SECURITY POLICIES
THROUGH CULTURAL BOUNDARIES:
A MULTINATIONAL COMPANY APPROACH
Yayla, Ali Alper, School of Management, PO Box 6000, Binghamton University-SUNY,
Binghamton, NY, 13902, USA, ayayla@binghamton.edu
Abstract
Information security policies can be considered as guidelines and used as a starting point to create a
security structure within an organization. Although practitioners continuously emphasize the
importance of such policies, information system scholars have not paid the required attention to this
context from the cross-cultural perspective. The purpose of this study is to look at the cultural and
institutional differences of a multinational company (MNC) and its subsidiaries, and discuss how these
differences affect the MNC’s strategy to enforce corporate information security policies to its
subsidiaries in different cultural settings. The proposed framework considers the effects of the cultural
distance, national economy, institutional distance, and stickiness of the knowledge transfer on the
process of enforcing information security policies from the parent company to its subsidiaries.
Keywords: Information security, Information security policy, Cultural distance, Institutional distance,
Knowledge transfer, Stickiness

1 Introduction
Today, ensuring availability, integrity and confidentiality of information and data concerns many
organizations. Deterrence can be one of the initial steps that organizations can take to ensure
information security (Straub and Welke, 1998). However, successful deterrence depends on
organization’s ability to control its environment with respect to internal and external threats.
Information security policies define the nature of these controls (i.e., technical, formal and informal
controls) and how these controls complement each other (Dhillon, 1999).
Moreover, security policies govern how organizations’ information should be protected (Kabay, 2002;
Barman, 2002). Whitman (2004) posits that a good security policy needs to “outline individual
responsibilities, define authorized and unauthorized uses of the systems, provide venues for employee
reporting of identified or suspects threats to the system, define penalties for violations, and provide a
mechanism for updating policy” (p.52). Enforcing corporate security policies has been reported as one
of the most effective ways to prevent or reduce electronic crime (Gordon et al., 2004). Overall,
security policies can be considered as guidelines and can be used as a starting point for creating a
security structure within an organization (Whitman, 2004).
The nature of multinational companies (MNCs) adds a layer of complexity to enforcing security
policies because MNCs need to consider the effects of different cultural and organizational settings
and integrate these in their corporate security policies. Basing his arguments on Hofstede’s cultural
dimensions, Abdul-Gader (1997) emphasized culture as one of the most important environmental
factors that MNCs should consider while adopting global Information Systems (IS) policies in Arab
Gulf countries. He postulated that misconceptions of understanding about fate in the Islamic context
and the technical capability of the Arab language are some of the issues that need to be considered by
MNCs. However, management practices do not have to be different just because subsidiaries and
parent company are in different countries and cultural settings. In their study, for instance, Anakwe et
al. (2000) concluded that organizational support enhances microcomputer usage in Nigeria. Their
result found support in other studies which demonstrated that similar management practices can be
effective in different cultural settings (Igbaria, et al. 1995; Igbaria, 1992).
Although practitioners continuously emphasize the importance of security policies, IS scholars have
not paid the required attention to this context from the cross-cultural perspective. For instance, in their
citation analysis of IS articles, Ford et al. (2003) found 57 articles about various contexts of IS that
cited Hofstede’s research on national culture. Further analyses showed that IS Management area led
with 25 articles. Within this research stream, however, no study cited Hofstede’s work in the IS Risk
Management context.
We aim to fulfil this gap by looking at cultural and institutional differences of an MNC and its
subsidiaries and by investigating how these differences affect the MNC’s strategy to enforce corporate
security policies to its subsidiaries in different cultural settings. More specifically, we will discuss
cultural distance, institutional distance, and the stickiness of the knowledge transfer and offer series of
propositions. Our goal is to make a unique contribution to the IS security literature by focusing on the
issues to be considered while enforcing information security policies within the MNC framework.
2 Theoretical Framework
According to Minbaeva et al. (2003), MNCs can develop knowledge in one location and exploit it in
another location through internal transfer of knowledge. One way of creating competitive advantage
for MNCs is effectively sharing organizational practices (Jensen and Szulanski, 2004). For example, in
the strategy literature, organizational practices and routines are considered as important sources of

competitive advantage since these assets are difficult to replicate (Jensen and Szulanski, 2004).
Considering that organizational know-how is an important part of a MNC’s global integration strategy,
its competitive advantage partly resides in the effectiveness of sharing these practices and routines.
MNCs are generally under different external and internal pressures. Externally, MNCs have to
consider the institutional, cultural, and economic environments in multiple countries and have to be
isomorphic with the local institutional environment to maintain their legitimacy (Kostova and Roth,
2002). Establishing and maintaining legitimacy in their multiple host environments is critical for
companies that span various countries (Kostova and Zaheer, 1999). Internally, MNCs have to create
consistency among their subsidiaries by leveraging activities worldwide to retain their competitive
advantages (Kostova and Roth, 2002).
We postulate that the process of enforcing information security policies to subsidiary companies
would be affected by the cultural and institutional distances between the parent company and the
subsidiary company. Moreover, the stickiness of the information security context would further affect
this process. Figure 1 presents the framework of our study.
Parent
Company
Cultural
Distance
Stickiness
Institutional
Distance
Enforcing Information Security Policies
Subsidiary
Company
Figure 1: The proposed framework for enforcing information security policies in multinational
companies
The main goal of information security policies is to provide a set of rules and guidelines to protect the
organization from security breaches. Under the umbrella of this goal, organizations can have variety of
security policies addressing different issues such as identification and authorization, Internet access,
contingency planning, and even social networking. Although MNCs can span across continents, the
interconnectedness of IT emphasizes the importance of enforcing information security policies on
subsidiaries by the parent companies. Such that, a security breach or comprise of access rights at the
subsidiary company can easily target the parent company through privilege escalation or social
engineering.
While transferring the actual information security policies consists of a simple process of sending the
policies to the subsidiary companies, it is the implications of adhering with the requirements of such
policies that create the difficulties in enforcing them. Security policies have unique features that
separate them from other management practices. For instance, where a human resources practice
focuses on recruiting, compensation, and performance appraisal, security policies can outline
configuration of intrusion detection systems, management of cryptography keys, and designing secure
infrastructure. Thus, in addition to traditional difficulties as a result of differences in norms, ethics and
values, the technical requirements embedded in information security policies create the unique
challenges in transferring and enforcing these policies to subsidiaries.

2.1 National Culture and Cultural Distance
Various cross-cultural studies reported that there is a certain level of cultural coherence within the
majority of nations (Hofstede and Peterson, 2000). The concepts that describe a nation’s culture can be
derived from Hofstede’s (1980) study across 40 nations. The proposed four culture dimensions from
his study are power distance, individualism versus collectivism, masculinity versus femininity, and
uncertainty avoidance. The cultural distance (Kogut and Singh, 1988) is derived as a composite index
from Hofstede’s culture dimensions and widely used in international business and various other
business disciplines (Shenkar, 2001). Literature suggests that the cultural distance can affect various
organizational level decisions including choice of entry mode of the MNC (Kogut and Singh, 1988),
performance of alliances (Sirmon and Lane, 2004), distributed justice values (Giacobbe-Miller et al.,
2003), and human resources management practices (Liu, 2004). These studies conclude that cultural
dimensions and cultural distance index have a central role in MNCs’ global strategy.
The cultural dimensions have substantial importance in the success of enforcing security policies from
the parent company to its subsidiaries as well. From the power distance perspective, it is important to
look at the effects of restrictions outlined in security policies. Access controls, for example, can be
considered as an effective measurement that is enforced by certain security policies. These controls
restrict users from series of actions such as downloading files from the Internet, installing programs,
and accessing certain parts of a computer network (Barman, 2002; Wakefield, 2004; Kabay, 2002).
With respect to enforcing security policies, these restrictions may be problematic in high power
distance cultures because adoption of power reducing technologies would be limited in such cultures
(Straub et al., 1997).
Hofstede (1980, 1997, 2001) posits that masculine societies put more stress on careers. This may lead
masculine societies being performance oriented. Therefore, any technological or policy-based change
in organizations that may hinder performance would create conflicts in masculine societies.
Technologies outlined in security policies such as firewalls, antivirus programs, and passwords are
generally considered as having negative effects on performance (Bace, 2002; Barman, 2004; Brussin,
2002; Cobb, 2002; Sandhu, 2002). Therefore, enforcing security policies to masculine societies may
compromise certain drawbacks.
Moreover, security policies reduce ambiguity by outlining certain rules and procedures. The salience
of these policies depends on the society’s level of uncertainty. Weak uncertainty avoidance societies
are in favor of less formalization and standardization, whereas in strong uncertainty avoidance
societies, there is an emotional need for rules (Hofstede, 1997). Therefore, this cultural dimension also
has an impact on enforcing security policies to subsidiaries.
Furthermore, security policies may require actions such as monitoring e-mail messages, recording
keystrokes and collecting private data (Levine, 2002). Similarly, these policies may outline procedures
for disciplining computer abusers in organizations (Barman, 2002). The tolerance level for these issues
may differ across societies with respect to the individualism/collectivism dimension. Considering that
cultural distance index captures the effects of all four cultural dimensions, MNCs that have big
differences in this index compared to their subisidiaries would require different approaches in
enforcing security policies. This leads to our first proposition;
P1a: High cultural distance between the parent company and its subsidiaries will have a negative
effect on the process of enforcing information security policies to the subsidiary companies.
According to Hofstede and Peterson (2000) and Hofstede (2001) the cultural dimensions are useful
and essential, however, they provide only limited detail. Gross national product, given as an example,
often matters more than national culture in the national difference context. Parallel to this line of

thought, digital divide may be considered as an important factor in enforcing security policies to
subsidiaries. Some of the limited examples on digital divide point out the potential effects of
differences in national economies. For example, Dewan et al. (2004) demonstrated the importance of
digital divide on cross-cultural IT penetration. Checchi et al. (2003) posited that governments play a
central role in the implementation of IT policies. However, in less developed countries, the role of
governments becomes more salient, as regional agencies, such as industrial/professional associates and
international agencies step up into the policy making stage. In another study, Ehikamenor (2002)
posited that some of the important factors that inhibit the application of information and
communication technologies in Nigeria are inflation, low GDP, and exchange rates.
Moreover, enforcing security policies in less developed countries would be problematic in terms of
meeting the requirements of such policies. One problem is the availability of skilled IT staff.
Organizations in less developed countries may not have enough human resources or capital to train
their IT staff to meet the requirements. Another problem is the availability of necessary technology.
For instance, required hardware and software products may not be available in less developed
countries. These issues concerning countries’ economic viability lead us to our next proposition;
P1b: Differences in the national economy of the parent company and its subsidiaries will have a
negative effect on the process of enforcing information security policies to the subsidiary
companies.
2.2 Institutional Theory and Institutional Distance
The institutional theory (Scott, 1995) considers the institutional environment as the key determinant of
the firm structure and its behavior. In their review of the institutional theory, Xu and Shenkar (2002)
discussed that the theory has been supported in unitary and domestic environments and received less
support in more complex environments where different institutional demands exist and where strategic
choices are important. One of the research streams in this literature involves the interorganizational
issues. This stream of research is critical from MNCs’ perspective since these companies feel pressure
from two different sides: global integration and local orientation (Westney, 1983). This dual pressure
is also discussed by Rosenzweig and Singh (1991) as the subsidiaries of a multinational enterprise try
to keep the isomorphism with their local environments and at the same time keep the internal
consistency within the enterprise. Gomez and Werner (2004) also considered the effects of double
sided pressure on MNCs and investigated how similarities in management styles of parent and
subsidiary companies have an effect on the performance of the subsidiaries. This study has the
advantage of having all the subsidiaries in one country, and therefore, substituting the potential
confounding effect of national culture. Their results were consistent with the literature and emphasized
the point that management styles should be congruent with the national culture in which the subsidiary
resides.
Scott (1995) defined three pillars of the institutional theory as regulative pillar - the rules and laws to
ensure stability of societies, normative pillar - the similarities between the value creation of
organizations and the societal values, and cognitive pillar - the degree of consistency between
organizations and existing structures of the society (Kostova and Zaheer, 1999; Busenitz et al., 2000).
Following this framework, Kostova (1996, 1999) developed the institutional distance construct. The
institutional distance can be considered as an alternative explanation of MNC behavior to the cultural
distance. The institutional distance is the extent of dissimilarities between host and home
organizations. In other words, it is the difference among the regulatory, normative and cognitive
institutions of two countries (Kostova, 1996). According to the findings of Kostova and Zaheer
(1999), the larger the institutional distance, the more difficult it is for the MNC to establish and
maintain its legitimacy in the host country. Another effect of institutional distance is on the recipient’s

(subsidiary) motivation. On their study, Jensen and Szulanski (2004) found significant negative
relationship between the institutional distance and the recipient’s motivation.
Kostova and Roth (2002) further refined Scott’s (1995) three pillars to introduce the concept of
institutional profile. They posited that the institutional profile of a host country may affect the
adoption of practices at a foreign subsidiary through “the direct institutional pressure on the subsidiary
to adopt the practice” (p. 217). Adoption of practices may also be accomplished through subsidiary’s
employees since institutional theorists advocate that people in organizations are sources of the
institutional elements. As discussed, subsidiaries experience institutional duality because they feel
pressure to reside in parent company’s institutional environment and also to create isomorphism with
their own environment. Kostova and Roth (2002) discuss that this relational context between the
parent and subsidiary company also influences the adoption of practices.
These institutional factors are considered in the IS literature as well. For instance, Munir (2002)
discussed the normative and cognitive factors within the technology transfer context. He defined three
aspects of technology transfer: choosing the right technology, developing managerial and technical
expertise, and accommodating technology into the organization. From the security policies and MNC
perspective, the last aspect carries more weight. In most cases, security policies are supported with
technological infrastructure such as use of firewalls, intrusion detection systems, etc. The normative
influences will require managerial control when more knowledge-intensive technology is being
imported to environments characterized by less knowledge-intensive technology since complex
technologies tend to conflict with existing management practices (Munir, 2002; Hansen et al., 1999).
Overall, security policies have to fit to the existing institutional character of the organizations in order
to be successfully enforced. Since security policies outline several practices such as disciplining
computer abusers, participation to formal training and awareness programs, regular third party audits
and several new hardware and software implementations (Barman, 2002; Siponnen, 2000; Thomson
and von Solms, 1998), a misfit between subsidiaries’ regulatory environment and requirements of the
parent company’s security policies will be problematic. Similar to these arguments, Hu et al. (2007)
reported the effect of all three institutional forces on the initiatives to implement information systems
security practices and protocols in a MNC. This leads to our next proposition;
P2: High institutional distance between the parent company and its subsidiaries will have a negative
effect on the process of enforcing information security policies to the subsidiary companies.
2.3 Stickiness and Knowledge Transfer Process
During the knowledge transfer, parent companies recreate the complex and ambiguous routines in new
settings. Szulanski (1996) argues that stickiness of organizational practices increases the difficulties of
the transfer process. Prior research suggests four issues as important factors that contribute to the
difficulty of knowledge transfer; characteristics of the knowledge transferred, characteristics of the
source, characteristics of the recipient, and characteristics of the context (Szulanski, 1996). After
studying 122 knowledge transfers with respect to these four characteristics, Szulanski (1996)
concluded that the origins of stickiness are the lack of absorptive capacity of the recipient, causal
ambiguity, and the arduous relationship between the source and the recipient.
In their study, Ko et al. (2005) investigated the antecedents of knowledge transfer from consultants to
clients in enterprise system implementations. The data were gathered from 96 enterprise resource
planning projects including 80 client organizations and 38 consulting firms. The antecedents were
grouped into three factors: communication, knowledge and motivational. Their results were also
parallel to Szulanski’s findings. Additional to knowledge factors such as arduous relationship,
absorptive capacity and shared understanding, Ko et al. (2005) found that direct effects of both

source’s and recipient’s intrinsic motivations, source credibility and indirect effects of communication
encoding and decoding competence are also important determinants of the knowledge transfer.
Current understanding of transfer process suggests four stages: initiation, implementation, ramp-up
and integration. Szulanski (2000) posits that organizations experience different types of stickiness in
each stage. His findings show that motivation and perceived reliability are important factors during
the first three stages, and absorptive capacity and causal ambiguity are important predictors of
stickiness when all the stages are put together and the knowledge transfer is considered as a whole.
In the context of information security, the effect of stickiness will be most visible on the technological
requirements of security policies. Configurations of hardware and software programs for large scale
networks require advanced knowledge and experience. This type of knowledge is considered tacit and
therefore hard to document, replicate or transfer. Moreover, slightly different configurations of
computers may prevent adaptation of the same solution in different computer networks. Considering
this “local” solution issue and the tacitness of information security context, transferring security
policies from one organization to another would be considered as sticky. This leads to our last
proposition.
P3: The stickiness of the information security practices will have a negative effect on the process of
enforcing information security policies to the subsidiary companies.
3 Discussion
While information security and globalization can be considered as two sides of the same coin, the lack
of cross-cultural studies in the information security literature is worrisome. Our goal is to provide a
framework as a starting point to fulfil this important gap. This study focuses on the cultural and
institutional differences of MNCs and their subsidiaries and outlines how these differences affect the
MNCs’ strategy to enforce information security policies to their subsidiaries in different cultural
settings.
Regarding the cultural differences, we proposed that high cultural distance will have a negative effect
on the process of enforcing security policies to the subsidiaries. Parallel to this, we also proposed that
differences in national economy and high institutional distance will have negative effects on this
process as well. Lastly, we proposed that the stickiness of the IS security context will have an
inherited detrimental effect on the efforts of enforcing these policies. The practical implications of the
study are also vital. For instance, neglecting the cultural and institutional differences may result in loss
of resources, high employee turnover, and even increased security breaches. Moreover, if it is not
executed properly, the transfer of such policies may increase the dual pressure on the subsidiary,
which in return may hinder their performance. Table 1 outlines these factors and how they relate to
MNCs’ efforts in enforcing information security policies to their subsidiaries.
One limitation of the study is the fact that the business context of the MNC may affect the salience of
the information security policies. Companies in certain industries may need more security than others
to protect their company specific information such as patents, source codes, manufacturing processes,
etc. On the other hand, this study opens many directions for future research. One direction can be the
investigation of the subsidiary absorptive capacity. As discussed above, Szulanski (1996) posits that
the lack of absorptive capacity is one of the most important impediments to knowledge transfer.
Minbaeva et al. (2003) also found significant relation between the absorptive capacity of the
subsidiary and the knowledge transfer within the MNC. Future studies can consider either controlling
the effect of subsidiary’s capacity or including the effects of capacity into the context.

Cultural factors
Sample requirements from
information security policies
Power distance Access control to certain files
Uncertainty avoidance Regular security audits
Masculinity/Femininity Use of anti-virus software
Individualism/Collectivism Use of computer monitoring
National economy
Institutional factors
Regulative
Implementation of advanced hardware
or software
Certain level of encryption required for
storing confidential information
Normative Security certification
Cognitive Skilled employee
Stickiness
Security of wireless infrastructure
Potential issues
In high power distance cultures, it is
harder for IT employees to limit
managers’ rights.
Subsidiaries that are in low uncertainty
cultures can have harder time to comply
with rigid requirements of the parent
company.
Adoption of performance hindering
software can be problematic in high
masculinity cultures due to their focus on
career advancement.
Monitoring employee behavior can result
in negative effect on employee morale,
satisfaction, and performance in
subsidiaries that reside in individualistic
cultures.
Availability of hardware and localization
of software can be limited for subsidiaries
that reside in developing or undeveloped
countries.
Countries of the subsidiaries can lack the
regulations that exist in the parent
company’s country.
Lack of availability of certain
certifications or institutions in
subsidiaries’ countries can limit
subsidiaries to conform with normative
factors.
Lack of education in computer science and
related fields in the subsidiaries’ country
can limit the efforts to comply with the
requirements of the security policy.
Designing a secure and reliable wireless
network requires unique considerations
such as interference from the environment,
size and shape of the buildings, etc. Due to
these localized differences, achieving
success using the same solution can be
limited.
Table 1. Factors that affect MNCs’ efforts in enforcing information security policies to their
subsidiary companies.
Another opportunity to take this study one step further is to investigate the effect of the MNC’s
structure. Barlett and Ghosahal’s (1999) work introduced four different models of MNC:
multinational, international, global and transnational. Each model has different configuration of assets
and capabilities, role of foreign subunits, and development and diffusion of knowledge (Kostova and
Roth, 2003). Therefore, the effectiveness of enforcing information security policies can be contingent

on the different characteristics of these four configuration models. In order to test the propositions and
conduct the suggested future studies, a case study can be conducted to a multinational company with
subsidiaries in different cultural, economical, and institutional settings.
References
Abdul-Gader, A.H. (1997). Information systems strategies for multinational companies in Arab Gulf
countries. International Journal of Information Management, 17(1), 3-12.
Anakwe, U.P., Igbaria, M. and Anandarajan, M. (2000). Management practices across cultures: Role
of support in technology usage. Journal of International Business Studies, 31(4), 653-666.
Bace, R.G. (2002). Vulnerability assessment and intrusion detection systems. In S. Bosworth and M.
E. Kabay (Eds.), Computer Security Handbook. 4th ed. New York: John Wiley & Sons, Inc.
Bartlett, C.A. and Ghoshal, S. (1989). Managing Across Borders: The Transnational Solution. Boston:
Harvard Business School Press.
Barman, S. (2002). Writing Information Security Policies. Indianapolis: New Riders.
Busenitz, L.W., Gomez, C. and Spencer, J.W. (2000). Country institutional profiles: Unlocking
entrepreneurial phenomena. Academy of Management Journal, 43(5), 994-1003.
Brussin, D. (2002). Firewall and proxy servers. In S. Bosworth and M. E. Kabay (Eds.), Computer
Security Handbook. 4th ed. New York: John Wiley & Sons, Inc.
Checchi, R.M., Po-An Hsieh, J.J. and Straub, D.W. (2003). Public IT policies in less developed
countries: A critical assessment of the literature and a reference fFramework. Journal of Global
Information Technology Management, 6(4), 45-64.
Cobb, C. (2002). Antivirus technology. In S. Bosworth and M. E. Kabay (Eds.), Computer Security
Handbook. 4th ed. New York: John Wiley & Sons, Inc.
Dewan, S., Ganley, S. and Kraemer, K.L. (2004). Across the digital divide: A cross-country analysis
of the determinants of IT penetration. Personal Computing Industry Center, UC Irvine.
Dhillon, G. (1999). Managing and controlling computer misuse. Information Management &
Computer Security, 7(4), 171.
Ehikhamenor, F.A. (2002). Socio-economic factors in the application of information and
communication technologies in Nigerian print media. Journal of the American Society for
Information Science and Technology, 53(7), 602-611.
Ford, D.P., Connelly, C.E. and Meister, D.B. (2003). Information systems research and Hofstede’s
Culture’s Consequences: An uneasy and incomplete partnership. IEEE Transactions on
Engineering Management, 50(1), 8-25.
Giacobbe-Miller, J.K., Miller, D.J., Zhang, W. and Victorov, V.I. (2003). Country and organizationallevel
adaptation to foreign workplace ideologies: a comparative study of distributive justice values
in China, Russia and the United States. Journal of International Business Studies, 34, 389-406.
Gomez, C. and Werner, S. (2004). The effect of institutional and strategic forces on management style
in subsidiaries of U.S. MNCs in Mexico. Journal of Business Research, 57(10), 1135-1144.
Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Richardson, R. (2004). 2004 CSI/FBI Computer Crime
and Security Survey.
Hansen, M., Nohria, N. and Tierney, T. (1999). What’s your strategy for managing knowledge?
Harvard Business Review, 106-116.
Hofstede, G. (1980). Culture's Consequences: International Differences in Work Related Values.
Beverly Hills, CA: Sage.
Hofstede, G. (1997). Cultures and Organizations: Software of the Mind. New York: McGraw Hill.
Hofstede, G. (2001). Culture's Consequences: International Differences in Work Related Values. 2nd
ed. Thousand Oaks, Ca: Sage.
Hofstede, G. and Peterson, M.F. (2000). National culture and organization culture. In N. Ashkanasy,
C. Wilderom, and M. F. Peterson (Eds.), Handbook of Organizational Culture and Climate: 401-
415. Thousan Oaks, CA: Sage.

Hu, Q., Hart, P. and Cooke, D. (2007). The role of external and internal influences on information
systems security – A neo-institutional perspective. Journal of Strategic Information Systems, 16,
153-172.
Igbaria, M. (1992). An examination of microcomputer usage in Taiwan. Information and
Management, 22, 19-28.
Igbaria, M., Tor, G. and Gordon, B.D. (1995). Testing the determinants of microcomputer usage via a
structural equation model. Journal of Management Information Systems, 13(1), 127-143.
Jensen, R. and Szulanski, G. (2004). Stickiness and the adaptation of organizational practices in crossborder
knowledge transfers. Journal of International Business Studies, 35(6), 508-523.
Kabay, M.E. (2002). Developing security policies. In S. Bosworth and M. E. Kabay (Eds.), Computer
Security Handbook. 4th ed. New York: John Wiley & Sons, Inc.
Ko, D., Kirsch, L.J. and King, W.R. (2005). Antecedents of knowledge transfer from consultants to
clients in enterprise system implementations. MIS Quarterly, 29(1), 59-85.
Kogut, B. and Singh, H. (1988). The effect of national culture on the choice of entry mode. Journal of
International Business Studies, 19(3), 411-431.
Kostova, T. (1996). Success of the transnational transfer of organizational practices within
multinational companies. University of Minnesota, Minneapolis.
Kostova, T. (1999). Transnational transfer of strategic organizational practices: A contextual
perspective. Academy of Management Review, 24(2), 308-324.
Kostova, T. and Roth, K. (2002). Adoption of an organizational practice by subsidiaries of
multiniational corporations: institutional and relational effects. Academy of Management Journal,
45(1), 215-233.
Kostova, T. and Roth, K. (2003). Social capital in multinational corporations and a micro-macro
model of its formulation. Academy of Management Review, 28(2), 297-317.
Kostova, T. and Zaheer, S. (1999). Organizational legitimacy under conditions of complexity: The
case of the multinational enterprise. Academy of Management Review, 24(1), 64-81.
Levine, D. E. (2002). Monitoring and control systems. In S. Bosworth, & M. E. Kabay (Eds.),
Computer Security Handbook. 4th ed. New York: John Wiley & Sons, Inc.
Liu, W. (2004). The cross-national transfer of HRM practices in MNCs: An integrative research
model. International Journal of Manpower, 25(6), 500-517.
Minbaeva, D., Pederson, T., Bjorkman, I., Fey, C.F. and Park, H.J. 2003. MNC knowledge transfer,
subsidiary absorptive capacity, and HRM. Journal of International Business Studies, 34, 586-599.
Munir, K.A. (2002). Being different: How normative and cognitive aspects of institutional
environments influence technology transfer. Human Relations, 55(12), 1403-1428.
Pavlia, P.C. (1998). Research issues in global information technology management. Information
Resource Management Journal, 11(2), 27-36
Rosenzweig, P.M. and Singh, J.V. (1991). Organizational environments and the multinational
enterprise. Academy of Management Review, 16(2), 340-361.
Sandhu, R. (2002). Identification and authentication. In S. Bosworth, & M.E. Kabay (Eds.), Computer
Security Handbook. 4th ed. New York: John Wiley & Sons, Inc.
Scott, W.R. (1995). Institutions and Organizations. Thousand Oaks; CA: SAGE.
Shenkar, O. (2001). Cultural Distance Revisited: Towards a more rigorous conceptualization and
measurement of cultural differences. Journal of International Business Studies, 32(3), 519-535.
Siponen, M.T. (2000). Critical analysis of different approaches to minimizing user-related faults in
information systems security: implications for research and practice. Information Management &
Computer Security, 8(5), 197-209.
Sirmon, D.G. and Lane, P.J. (2004). A model of cultural differences and international alliance
performance. Journal of International Business Studies, 35(5), 306-319.
Straub, D., Keil, M. and Brenner, W. (1997). Testing the technology acceptance model across cultures:
A three country study. Information and Management, 33, 1-11.
Straub, D.W. and Welke, J.R. (1998). Coping with systems risk: Security planning models for
management decision making. MIS Quarterly, 22(4), 441.

Szulanski, G. (1996). Exploring internal stickiness: Impediments to the transfer of best practice within
the firm. Strategic Management Journal, 17, 27-43.
Szulanski, G. (2000). The Process of Knowledge Transfer: A diachronic analysis of stickiness.
Organizational Behavior and Human Decision Processes, 82(2), 9-27.
Thompson, M.E. and von Solms, B. (1998). Information security awareness: Educating our users
effectively. Information Management & Computer Security, 6(4), 167-173.
Wakefield, R.L. (2004). Network security and password policies. The CPA Journal, 74(7), 6.
Westney, D.E. (1993). Institutionalization Theory and the Multinational Corporation. New York: St.
Martin's Press.
Whitman, M.E. (2004). In defense of the realm: Understanding the threats to information security.
International Journal of Information Management, 24, 43-57.
Xu, D. and Shenkar, O. (2002). Institutional distance and the multinational enterprise. Academy of
Management Review, 27(4), 608-618.