Does Context Always Matter?
The Critical Role of Contextual Differences in Information Security Policy Compliance Behavior Research
by Sebastian Hengstler
Date of Examination:2024-09-24
Date of issue:2025-01-07
Advisor:Prof. Dr. Simon Trang
Referee:Prof. Dr. Simon Trang
Referee:Prof. Dr. Lutz M. Kolbe
Referee:Prof. Dr. Michael Wolff
Files in this item
Name:Dissertation_SebastianHengstler_upload.pdf
Size:1.80Mb
Format:PDF
Abstract
English
The risk of information security breaches in companies is escalating due to the increasing digitalization of business processes and employee activities within their daily work environment. While technical measures can mitigate the risk of damage to the company, they cannot offer complete protection. Employee behavior, particularly non-compliance with organizational information security policies, poses a significant risk. Therefore, non-technical measures are necessary to minimize or prevent such breaches. Neglecting this aspect of information security can lead to substantial damage, potentially jeopardizing the entire business operation. Research in the field of information security outlines strategies for defining information security policies, designing appropriate security measures, and conducting employee training programs. However, existing approaches often provide only generalized solutions. To achieve differentiation, the incorporation of cultural considerations is essential. In an international and multicultural workplace, companies face numerous challenges, including operating across global locations, collaborating within multicultural teams, and navigating industry-specific corporate cultures. Current research suggests that various contextual perspectives, such as culture, organizational dynamics, and job differences, may influence information security policy compliance behavior. Nonetheless, it does not offer clear insights into the specific areas of dependency or practical management strategies. This dissertation investigates the relationship between contextual differences and information security policy compliance behavior through four empirical studies. It demonstrates the diverse ways that contextual differences influence compliance behavior. The analysis is grounded in empirical research and applicable theories in the field of information security, presenting the results in a manner that is readily transferable to practice. The studies indicate that contextual differences can impact information security at multiple levels, including cultural variations, organizational aspects, different types of non-compliance behavior, and individual behavioral tendencies. Subsequent studies within this dissertation provide an in-depth analysis of these contextual aspects. Through the development of a taxonomy and corresponding archetypes, it was possible to illustrate that various types of information security breaches occur both domestically and internationally. Using social learning theory, the importance of cultural values concerning information security policy compliance behavior and the relevance of organizational aspects, such as work experience, are elucidated. A quantile regression analysis helped identify differences in individual behavioral tendencies of employees concerning compliance with information security policies. The findings of this dissertation have significant implications for both research and practice. Firstly, they underscore the importance of contextual aspects within the research context. Additionally, the insights gained highlight the necessity for differentiated information security measures and training that account for cultural and organizational differences, as well as varying types of behavior and individual behavioral values, rather than relying on generalized approaches. The published research articles identify potential areas for future research and provide internationally active companies and organizations with multicultural backgrounds with guidance on where differentiated approaches are necessary to ensure a robust level of information security.
Keywords: information security; information security policy compliance behavior; Behavioral related research