Article

Human-Related Problems of Information Security in East African Cross-Cultural Environments.

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Purpose The purpose of this paper is to find what kinds of problems, while implementing information security policy, may take place in foreign companies in the East African Community (EAC) because of cultural differences, and to suggest supplemental countermeasures in international frameworks such as Committee of Sponsoring Organizations of the Treadway Commission and ISO/IEC27001. Design/methodology/approach Setting potential problems based on Hofstede's scores of cultural dimensions and the authors' experience, this paper predicts potential problems first by using the theory of level of potential. Local employees working for foreign companies were polled to evaluate the severity of the problems. Based on the survey results, the paper finds which problems may take place, what triggers them and how severe they are. Finally, it finds countermeasures to prevent the problems. Findings Overall, British, US and Japanese companies are found to have higher potential of facing problems in the EAC. The problem of “using a previous company's confidential information” has been found to have the highest severity. British, US and Belgian companies have individualism‐originated problems. Japanese companies have the highest potential of facing problems due to masculinity. Chinese companies have the highest potential of facing problems due to long‐term orientation. In addition, a list of countermeasures is proposed to protect business information. Originality/value The paper has identified information security management (ISM)‐related problems with their severities for each of the selected investing countries in the EAC, applying a new method to predict potential problems concerning ISM in foreign companies. It has recommended practical countermeasures against the six serious problems identified.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

... Some roles may also include the authority to make security decisions, approve other users' actions, and change the ISP ( Goel and Chengalur-Smith, 2010;Ward and Smith, 2002;Wood, 1995 ). Some authors warn us about making overly simplistic assumptions about the authority of security decisions residing at the top tier of the organization and recommend an analysis of the actual power structure which may differ across organizations and cultures ( Asai and Hakizabera, 2010;Coles-Kemp, 2009;Dinev et al., 2009;Lapke and Dhillon, 2008 ). ...
... The policy-planning process creates an understanding of the need for security and defines acceptable security levels to protect information ( Klaic and Hadjina, 2011;Ward and Smith, 2002;Yeniman Yildirim et al., 2011 ). The ISP can guide the information security culture of the organization so that the members help each other to prevent incidents ( Asai and Hakizabera, 2010;Da Veiga and Eloff, 2010 ). The ISP should create a secure environment where the privacy of its subjects and other stakeholders is also considered ( Talbot and Woodward, 2009 ). ...
... One way to improve the effectiveness of these kinds of controls is to include staff in designing them to ensure that they do not conflict with people's information use rationale ( Balozian and Leidner, 2017;Hedström et al., 2013 ). The local national culture affects the effectiveness of different controls, which is why understanding the local social norms and social control mechanisms is important when designing the ISP ( Asai and Hakizabera, 2010;Dinev et al., 2009 ) The content of the ISP documentation may vary greatly across organizations depending on the design principles they have adopted in forming it ( Siponen and Iivari, 2006 ). The documentation may include only general statements and rationale, or details of responsibilities and countermeasures as well ( Olnes, 1994 ). ...
Article
Despite the prevalence of research that exists under the label of “information security policies” (ISPs), there is no consensus on what an ISP means or how ISPs should be developed. This article reviews state-of-the-art ISP development by examining a diverse sample of literature on the subject. The definition and function of an ISP is studied first, revealing a rich tapestry of different notions behind the same term. When looking at the broad picture of the research on ISP development methods, we find different phases and levels of detail. Analyzing the different views on the content, context, and strategy alignment provides for further understanding on the complexity of the matter. As an outcome, we raise issues in ISP definitions and development methods that should be addressed in future research and practical applications. This review concludes that for state-of-the-art ISP development, the focus should shift more toward organization-specific information security needs, as the direction of the current research is still lacking contributions that would show how contextual factors could be successfully integrated into ISP development.
... Amongst published articles human error is identified as being associated with a large proportion of information security incidents or breaches (Komatsu et al., 2013;Stewart and Jürjens, 2017) and the most critical factor in the management of information security (Stewart and Jürjens, 2017). Literature has consistently presented that effective information security management must essentially embrace the human factor in addition to technology (Werlinger et al., 2009;Asai and Hakizabera, 2010;Frangopoulos et al., 2014;Stewart andJürjens, 2017, Hadlington et al., 2019) and that the security of IT systems and platforms have been undermined by human failings (Lacey, 2010). ...
... Alavi et al. (2016) presented research, which found that 64 per cent of security incidents were directly related to human error. Whereas Asai and Hakizabera (2010) stated in their research that 80 per cent of information security breaches are caused by human error. The information security field should study methods used within the safety field (Lacey, 2010), where it was found that 90 per cent of accidents were caused by human ICS failure. ...
Article
Purpose This paper aims to provide an understanding of the proportions of incidents that relate to human error. The information security field experiences a continuous stream of information security incidents and breaches, which are publicised by the media, public bodies and regulators. Despite the need for information security practices being recognised and in existence for some time, the underlying general information security affecting tasks and causes of these incidents and breaches are not consistently understood, particularly with regard to human error. Design/methodology/approach This paper analyses recent published incidents and breaches to establish the proportions of human error and where possible subsequently uses the HEART (human error assessment and reduction technique) human reliability analysis technique, which is established within the safety field. Findings This analysis provides an understanding of the proportions of incidents and breaches that relate to human error, as well as the common types of tasks that result in these incidents and breaches through adoption of methods applied within the safety field. Originality/value This research provides original contribution to knowledge through the analysis of recent public sector information security incidents and breaches to understand the proportions that relate to human error.
... Also, favouritism exists in the Zanzibar society based on blood relation, marriage, region of birth, area of residency and political affiliation. According to Hofstede's national culture index, Zanzibar as part of East Africa has moderate power distance, low individualism, moderate masculinity, moderate uncertainty avoidance and low long-time orientation [9]. In 2012 Zanzibar planned to adopt an e-government system [10]. ...
Article
After identifying how trust and semiotics work considering the case of Zanzibar we compare two contrasting e-Bank site localization design paradigms: namely that of Deutsche Bank and HSBC with respect to two target audiences: namely China and Taiwan. The findings of the e-Culture audit are aligned to the ubiquitous set of cultural dimensions first defined by Geert Hofstede. This alignment appears to show that the "Western" stereotypical paradigm is not in alignment with either Hofstede's Individualism/Collectivism metric nor with normative semiotic signs that reflect vibrant local urban street cultures. We go on to suggest that the use of card-sorting may speculatively be used to better engender localized sites that are aligned to local target.
... Alavi, Islam and Mourtadis [22] presented similar findings, in which 64% of security incidents are directly related to human error. Further research presented by Asai and Hakizabera [23] suggests that 80% of information security breaches are caused by human error. The Cyber Security Breaches Survey [24] states that human error is amongst the most common factors contributing to the most disruptive breaches, indicating that human error is not only exposing organisations to the majority of incidents, but also that those are the most impacting. ...
Article
Full-text available
Information security recognised the human as the weakest link. Despite numerous international or sector-specific standards and frameworks, the information security community has not yet adopted formal mechanisms to manage human errors that cause information security breaches. Such techniques have been however established within the safety field where human reliability analysis (HRA) techniques are widely applied. In previous work we developed Information Security Core Human Error Causes (IS-CHEC) to fill this gap. This case study presents empirical research that uses IS-CHEC over a 12 month period within two participating public and private sector organisations in order to observe and understand how the implementation of the IS-CHEC information security HRA technique affected the respective organisations. The application of the IS-CHEC technique enabled the proportions of human error related information security incidents to be understood as well as the underlying causes of these incidents. The study captured the details of the incidents in terms of the most common underlying causes, selection of remedial and preventative measures, volumes of reported information security incidents, proportions of human error, common tasks undertaken at the time the incident occurred, as well as the perceptions of key individuals within the participating organisations through semi-structured interviews. The study confirmed in both cases that the vast majority of reported information security incidents relate to human error, and although the volumes of human error related incidents pertaining to both participating organisations fluctuated over the 12 month period, the proportions of human error remained consistently as the majority root cause.
... Approachable management enhances information security because employees are not fearful of the negative consequences of raising concerns with senior staff (Chipperfield & Furnell, 2010). On the other hand, Asai and Hakizabera (2010) found that high power distance can lead to problems with information security because subordinates feel it is a managerial concern, not theirs. ...
Article
Full-text available
This study explores how aspects of perceived national culture affect the information security attitudes and behavior of employees. Data was collected using 19 semi-structured interviews in Ireland and the United States of America (US). The main findings are that US employees in the observed organizations are more inclined to adopt formalized information security policies and procedures than Irish employees, and are also more likely to have higher levels of compliance and lower levels of non-compliance.
... Also, favouritism exists in the Zanzibar society based on blood relation, marriage, region of birth, area of residency and political affiliation. According to Hofstede's national culture index, Zanzibar as part of East Africa has moderate power distance, low individualism, moderate masculinity, moderate uncertainty avoidance and low long-time orientation [9]. In 2012 Zanzibar planned to adopt an e-government system [10]. ...
Article
Full-text available
After identifying how trust and semiotics work considering the case of Zanzibar we compare two contrasting e-Bank site localization design paradigms: namely that of Deutsche Bank and HSBC with respect to two target audiences: namely China and Taiwan. The findings of the e-Culture audit are aligned to the ubiquitous set of cultural dimensions first defined by Geert Hofstede. This alignment appears to show that the "Western" stereotypical paradigm is not in alignment with either Hofstede's Individualism/Collectivism metric nor with normative semiotic signs that reflect vibrant local urban street cultures. We go on to suggest that the use of card-sorting may speculatively be used to better engender localized sites that are aligned to a local culture.
... , India, China(Asai, Yun and Caibutengdaoriji, 2011), Brazil, Thailand(Siripukdee et al., 2010), Venezuela(Castillo et al., 2009), Malaysia and East Africa(Asai and Hakizabera, 2010) were carried out during the time span of 2008 through 2010 through Internet-based surveys. The entire lists of potential problems, lists of questions composed of conditions triggering the problems, survey profiles, summarized survey results and detailed analyses of results of these surveys are available in the above references. ...
Article
Purpose – This paper examines common features in local employees’ behavior leading to problems in information security in foreign companies due to cultural differences between foreign managers and local workers. Design/methodology/approach – The investee countries of Russia, India, China, Brazil, Thailand, Venezuela, Malaysia and the East African Community are examined. Potential human-related problems developed using Hofstede’s framework of culture and the results of previously conducted studies are examined and their linkage to cultural dimensions are validated using human behavioral heuristics. Findings – The problems of “Unintentional sharing of confidential information” and “Concealing faults made by friends” occur because of lower individualism of investee countries, while the problem of “Using any means to reach goals owing to high competition” occurs because of higher masculinity of the society. Originality/value – This paper has identified that human-related information security problems are linked to the investee countries’ cultural dimensions through the behavioral patterns influenced by their cultures.
Article
Full-text available
Purpose After 15 years of research, this paper aims to present a review of the academic literature on the ISO/IEC 27001, the most renowned standard for information security and the third most widespread ISO certification. Emerging issues are reframed through the lenses of social systems thinking, deriving a theory-based research agenda to inspire interdisciplinary studies in the field. Design/methodology/approach The study is structured as a systematic literature review. Findings Research themes and sub-themes are identified on five broad research foci: relation with other standards, motivations, issues in the implementation, possible outcomes and contextual factors. Originality/value The study presents a structured overview of the academic body of knowledge on ISO/IEC 27001, providing solid foundations for future research on the topic. A set of research opportunities is outlined, with the aim to inspire future interdisciplinary studies at the crossroad between information security and quality management. Managers interested in the implementation of the standard and policymakers can find an overview of academic knowledge useful to inform their decisions related to implementation and regulatory activities.
Article
Full-text available
Purpose The purpose of this paper is to survey existing information security policy (ISP) management research to scrutinise the extent to which manual and computerised support has been suggested, and the way in which the suggested support has been brought about. Design/methodology/approach The results are based on a literature review of ISP management research published between 1990 and 2017. Findings Existing research has focused mostly on manual support for managing ISPs. Very few papers have considered computerised support. The entire complexity of the ISP management process has received little attention. Existing research has not focused much on the interaction between the different ISP management phases. Few research methods have been used extensively and intervention-oriented research is rare. Research limitations/implications Future research should to a larger extent address the interaction between the ISP management phases, apply more intervention research to develop computerised support for ISP management, investigate to what extent computerised support can enhance integration of ISP management phases and reduce the complexity of such a management process. Practical implications The limited focus on computerised support for ISP management affects the kind of advice and artefacts the research community can offer to practitioners. Originality/value Today, there are no literature reviews on to what extent computerised support the ISP management process. Findings on how the complexity of ISP management has been addressed and the research methods used extend beyond the existing knowledge base, allowing for a critical discussion of existing research and future research needs.
Article
Purpose The purpose of this case study is to examine the factors that impact higher education employees’ violations of information security policy by developing a research model based on grounded theories such as deterrence theory, neutralization theory, and justice theory. Design/methodology/approach The research model was tested using 195 usable responses. After conducting model validation, the hypotheses were tested using multiple linear regression. Findings The results of the study revealed that procedural justice, distributive justice, severity and celerity of sanction, privacy, responsibility, and organizational security culture were significant predictors of violations of information security measures. Only interactional justice was not significant. Research limitations/implications As with any exploratory case study, this research has limitations such as the self-reported information and the method of measuring the violation of information security measures. With respect to the method of measuring information security violations, it has been a challenge for researchers. Of course, the best method is to capture the actual behavior. Another limitation to our case study which might have affected the results is the significant number of faculty members in the respondent pool. The shared governance culture of faculty members on a U.S. university campus might bias the results more than in a company environment. Caution should be applied when generalizing the results of this case study. Practical implications The findings validate past research and should encourage managers to ensure employees are involved with developing and implementing information security measures. Additionally, the information security measures should be applied consistently and in a timely manner. Past research has focused more on the certainty and severity of sanctions and not as much on the celerity or swiftness of applying sanctions. The results of this research indicate there is a need to be timely (swift) in applying sanctions. The importance of information security should be grounded in company culture. Employees should have a strong sense of treating company data as they would want their own data to be treated. Originality/value Setting and enforcing in a timely manner a solid sanction system would help in preventing information security violations. Moreover, creating a culture that fosters information security would help in positively affecting the employees’ perceptions toward privacy and responsibility which in turn impacts information security violations. This case study applies some existing theories in the context of the U.S. higher education environment. The results of this case study contributed to the extension of existing theories by including new factors on one hand, and confirming previous findings on the other hand.
Article
Cloud computing is synonymous with outsourced data center management and agile solution architecture that improves the scalability for delivery of services for enterprises. It has the capability to revolutionize how data is delivered from commodity to Information Technology as a service. At its core, Cloud computing is a new approach to distributed computing and shared pooling of IT infrastructure linked together to offer centralized IT services on demand. Companies that provide Cloud computing services manage multiple virtualized computation systems that allow for dynamic on-demand provisioning of IT delivery as services. This chapter presents a study of the factors that influence the adoption of Cloud computing in enterprises based on managements' perception of security, cost-effectiveness, and IT compliance. The results of a linear regression analysis testing are presented, which indicate that managers' perceptions of cost-effectiveness and IT compliance are more significantly correlated to the enterprise adoption of Cloud computing than security.
Article
Full-text available
This study seeks the level of awareness amongst academic librarians in private colleges in the districts of Shah Alam, Petaling Jaya, and Damansara. The matrix analysis of the literature review in this study succeeded in producing factors that contribute to information security awareness. Information security awareness plays an important role in the continuity of an organization. Information security refers to the elements of confidentiality, integrity, and availability, of data or information, in an organization. The research began with definitions of information, information security, and information security awareness, as identified by previous publications. The four independent variables established in this study are policy of information security, education of information security, knowledge of IT, and employee's behaviour towards information security in the workplace. A survey was selected as a research method for the study, and was conducted in order to gain respondent's feedback on the level of information security awareness. The respondents of the study consisted of librarians from private colleges in Shah Alam, Petaling Jaya, and Damansara areas. The survey findings showed that the level of information security awareness was considered high, but the relation or contribution factors proposed by this study were only slight correlated. This was proved in the correlation coefficient analysis in this study, in Chapter 4. From these findings, it can be concluded that further research is needed to clarify the contributing factors of information security awareness in an information provider; such as librarians in a library organization.
Article
Purpose – This paper aims to investigate factors that impact the number of information security policy violations in Qatari organizations and to examine the moderating effect of Hofstede’s cultural dimensions on the relationships between the independent factors and the number of information security policy violations. Design/methodology/approach – Grounded in related theories from the fields of criminology, behavioral psychology and theory of planned behavior, two components that affect the number of information security policy violations were identified. A quantitative approach was used by developing a questionnaire survey to collect the data. The research model was tested using 234 employees from different Qatari organizations. Findings – The results of the study indicate that trust, the impact of implementing information security policy on work environment and the clarity of the scope of the information security policy were significant factors in predicting the number of information security policy violations. The findings also reveal that cultural dimensions such as uncertainty avoidance and collectivism moderate the relationships between trust, clarity of policy scope and impact of information security policy on work environment and the number information security policy violations. Research limitations/implications – The generalizability of the results is limited because the sample of the study was drawn from only one developing country. Therefore, a plausible future research could be testing the proposed model in many developing and developed countries. Practical implications – The paper includes practical implications for developing and implementing security measures and policies in diversified work environments. Originality/value – This study fulfils a gap in investigating the factors that influence the number of information security policy violations and the moderating effect of cultural dimensions in developing countries such as Qatar.
Article
Full-text available
This study seeks the level of awareness amongst academic librarians in private colleges in the districts of Shah Alam, Petaling Jaya, and Damansara. The matrix analysis of the literature review in this study succeeded in producing factors that contribute to information security awareness. Information security awareness plays an important role in the continuity of an organization. Information security refers to the elements of confidentiality, integrity, and availability, of data or information, in an organization. The research began with definitions of information, information security, and information security awareness, as identified by previous publications. The four independent variables established in this study are policy of information security, education of information security, knowledge of IT, and employee's behaviour towards information security in the workplace. A survey was selected as a research method for the study, and was conducted in order to gain respondent's feedback on the level of information security awareness. The respondents of the study consisted of librarians from private colleges in Shah Alam, Petaling Jaya, and Damansara areas. The survey findings showed that the level of information security awareness was considered high, but the relation or contribution factors proposed by this study were only slight correlated. This was proved in the correlation coefficient analysis in this study, in Chapter 4. From these findings, it can be concluded that further research is needed to clarify the contributing factors of information security awareness in an information provider; such as librarians in a library organization.
Article
Full-text available
This paper discusses the potential problems due to cultural differences, which foreign companies may face in Brazil concerning information security. Top 3 investing countries in Brazil, namely US, Netherlands, and Japan are examined. Potential problems concerning the management of people in information security are developed by using Geert Hofstede’s framework and based upon the authors’ experience in global business activities. To evaluate the magnitude of potential of problems, a recently proposed measure called Level of Potential (LoP) is adopted. A survey was conducted in Brazil to evaluate the severity of potential problems and the practicability of LoP. To examine the practicability of LoPs, the logical LoPs are compared with their surveyed severities. Our results show that LoP can predict problems to a certain extent in the Brazilian business environment. The results reveal that Japanese companies may face problems least, while the Dutch ones face the difficulties most. The problem of “Using previous company’s confidential information” is a problem with the highest severity among the potential problems since “teaching others” is encouraged by employees’ belief.
Article
This paper discusses the difference that should exist between Information Security Operational Management and Information Security Compliance Management.The paper argues that for good Information Security Governance, good IT Governance and good Corporate Governance, these two dimensions of Information Security Management should be totally separate, and housed in separate departments.
Conference Paper
Security is both a feeling and a reality. And they’re not the same. The reality of security is mathematical, based on the probability of different risks and the effectiveness of different countermeasures. We can calculate how secure your home is from burglary, based on such factors as the crime rate in the neighborhood you live in and your door-locking habits. We can calculate how likely it is for you to be murdered, either on the streets by a stranger or in your home by a family member. Or how likely you are to be the victim of identity theft. Given a large enough set of statistics on criminal acts, it’s not even hard; insurance companies do it all the time.
Human error at the center of IT security breach
  • M Bean
Human Resource Management: Global Strategies for Managing a Diverse Work Force
  • M R Carrel
  • N F Elbert
  • R D Hatfield
Trompenaars' four diversity cultures
  • D Straker
Potential problems on information security management in cross-cultural environment - a study of cases of foreign companies including Japanese companies in Indonesia”
  • T Asai
  • L Waluyan
East Africa - a rising investment destination”, available at: www.africamatters.com/news.asp?
  • B L Chalker
Activities of IPA concerning information security and behavior
  • A Komatsu
Cultural differences”, available at: www.leadervalues.com/content/detail.asp? contentDetaillD-255&Type= More
  • M Yates