Open Access Open Access  Restricted Access Subscription Access
Open Access Open Access Open Access  Restricted Access Restricted Access Subscription Access

Investigating the Influence of Ethiopian National Culture on Information Security Policy (ISP) Violation : The Case of the Ethiopian Financial Institutions


Affiliations
1 Accounting & Finance Program Unit, School of Commerce, CoBE, Addis Ababa University, Ethiopia
2 Addis Ababa University, Ethiopia
     

   Subscribe/Renew Journal


Nowadays, it is clear that information security is one of the most basic issues that organisations need to focus on. Despite huge investments made by companies to keep their information systems safe, there are many information security breaches that infiltrate companies’ systems; consequently, these cost them their reputation, affect customers’ confidence, and bring huge financial losses. Ethiopian companies are not immune to this security problem, and there are many signs of information security breaches. The literature suggests that almost all investments in information security related issues are for technological solutions. However, this type of solutions alone do not work well, and according to some researchers, there is one significant element that has been given very little attention, the human factor. Most of the information security breaches are caused by employees who are legitimate users of the company’s systems. So ‘how can we counter the illegal action of our own employees?’ is the main objective this study tried to address. The findings showed strong evidence on the influence of contextual factors and national culture, on employees’ information security behaviour, and consequently, it highlighted the importance of taking some level of precaution when organisations introduce new policies or standards that are copied from abroad. Policy makers and ISS managers in Ethiopia, particularly at the Information Network Security Agency (INSA), can learn how important it is to modify or adapt their ISP, which was copied from ISO 27002, based on the findings of this study.

Keywords

Contextual Factors, National Culture, Employees’ Information Security Behaviour, Financial Institutions, Information Systems Security.
Subscription Login to verify subscription
User
Notifications
Font Size


  • Abu-Musa, A. A. (2004). Investigating the security controls of CAIS in an emerging economy: An empirical study on the Egyptian banking industry. Managerial Auditing Journal, 19(2), 272-302.
  • Afroprofile. (2013). Africa’s top 50 banks. Retrieved from http://www.afroprofile.com/index.php/jobs-in-nigeria/africa-s-top-100-banks.html
  • Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179-211.
  • Al-Awadi, M., & Renaud, K. (2007, July). Success factors in information security implementation in organizations. In IADIS International Conference e-Society.
  • Alexander, C. S., & Becker, H. J. (1978). The use of vignettes in survey research. Public Opinion Quarterly, 42(1), 93-104.
  • Alfawaz, S., Nelson, K., & Mohannak, K. (2010, January). Information security culture: A behaviour compliance conceptual framework. In Proceedings of the Eighth Australasian Conference on Information Security (vol. 105, pp. 47-55). Australian Computer Society, Inc.
  • Alghazzawi, D. M., Hasan, S. H., & Trigui, M. S. (2014). Information systems threats and vulnerabilities. International Journal of Computer Applications, 89(3), 25-29.
  • All Africa Global Media Publisher. (2007). Dashen to resume issuing visa cards. Retrieved June 13, 2013, from http://www.allafrica.com/stories/200708271429.html
  • Alreck, P. L., & Settle, R. B. (2004). The survey research handbook (3rd ed.). Boston, MA: McGraw-Hill.
  • Anderson, J. C., & Gerbing, D. W. (1984). The effect of sampling error on convergence, improper solutions, and goodness-of-fit indices for maximum likelihood confirmatory factor analysis. Psychometrika, 49(2), 155-173.
  • Armstrong, J. S., & Overton, T. S. (1977). Estimating nonresponse bias in mail surveys. Journal of Marketing Research, 396-402.
  • Birch, D. G., & McEvoy, N. A. (1995). Structured risk analysis for information systems. Hard Money-Soft Outcomes, 29-51.
  • Choe, J. M. (2004). The consideration of cultural differences in the design of information systems. Information & Management, 41(5), 669-684.
  • Chow, C. W., Deng, F. J., & Ho, J. L. (2000). The openness of knowledge sharing within organizations: A comparative study of the United States and the People’s Republic of China. Journal of Management Accounting Research, 12(1), 65-95.
  • Chua, W. (1986) Radical developments in accounting thought. Accounting Review, 61, 601-632.
  • Clarke, M. (2011). The role of self-efficacy in computer security behavior: Developing the construct of computer security self-efficacy (CSSE). ProQuest LLC.
  • Compeau, D. R., & Higgins, C. A. (1995). Computer self-efficacy: Development of a measure and initial test. MIS Quarterly, 189-211.
  • Converse, J. M., & Presser, S. (1986). Survey questions: Handcrafting the standardised questionnaire. SAGE Publications. D’Arcy, J., & Hovav, A. (2007). Deterring internal information systems misuse. Communications of the ACM, 50(10), 113-117.
  • D’Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security countermeasures and its impact on information systems misuse: A deterrence approach. Information Systems Research, 20(1), 79-98.
  • D’Arcy, J., & Herath, T. (2011). A review and analysis of deterrence theory in the IS security literature: Making sense of the disparate findings. European Journal of Information Systems, 20(6), 643-658.
  • De Mooij, M., & Hofstede, G. (2010). The Hofstede model: Applications to global branding and advertising strategy and research. International Journal of Advertising, 29(1), 85-110.
  • De Vreede, G. J., Jones, N., & Mgaya, R. J. (1998). Exploring the application and acceptance of group support systems in Africa. Journal of Management Information Systems, 197-234.
  • Devamohan, A. (2008). E-banking problems and prospects in Ethiopia. Retrieved from http://wA.Devamohan%20-%20E-banking.htm.
  • Dhillon, G. (1999). Managing and controlling computer misuse. Information Management & Computer Security, 7(4), 171-175.
  • Dhillon, G., & Moores, S. (2001). Computer crimes: Theorizing about the enemy within. Computers & Security, 20(8), 715-723.
  • Ethiopian Radio and Television Agency. (2012). The Ethiopian radio and television agency. Retrieved from http://www.ertagov.com/news/
  • Ferketich, S., Phillips, L., & Verran, J. (1993). Development and administration of a survey instrument for cross-cultural research. Research in Nursing & Health, 16(3), 227-230.
  • Field, A. (2009). Discovering statistics using SPSS. Sage Publication.
  • Hair, J. F., Black, W. C., Babin, B. J., Anderson, R. E., & Tatham, R. L. (2010). Multivariate data analysis (6th ed.). NY: Pearson.
  • Hair, J. F., Black, W. C., Babin, B. J., Anderson, R. E., & Tatham, R. L. (2010). Multivariate data analysis (7th ed.). NY: Pearson.
  • Hamill, J. T., Deckro, R. F., & Kloeber, J. M. (2005). Evaluating information assurance strategies. Decision Support Systems, 39(3), 463-484.
  • Harrington, S. J. (1996). The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions. MIS Quarterly, 20(3), 257-278.
  • Hasan, H., & Ditsa, G. (1999). The impact of culture on the adoption of IT: An interpretive study. Journal of Global Information Management (JGIM), 7(1), 5-15.
  • Hechter, M., & Kanazawa, S. (1997). Sociological rational choice theory. Annual review of 9 to 5 underground: Are you policing computer crimes? MIT Sloan Management Review, 30(4), 35.
  • Hofstede, G. (1980). Culture’s consequences: International differences in work-related values. Beverly Hills, CA: Sage Publications.
  • Hofstede, G. (1983). Dimensions of national cultures in fifty countries and three regions. In Expiscations in Cross-Cultural Psychology. Lisse, Netherlands: Swets & Zeitlinger.
  • Hofstede, G., (1991). Cultures and organizations: Software of the mind: Intercultural cooperation and its importance for survival. London: McGraw-Hill.
  • Hofstede, G. (2000). The information age across cultures. Proceedings of 5th AIM Conference: Information Systems and Organizational Change.
  • Johns, S. K., Smith, M., & Norman, C. S. (2002). How culture affects the use of information technology. In Accounting Forum (vol. 27, no. 1, pp. 84-109).
  • Jones, M. L. (2007). Hofstede-culturally questionable? Kohlberg, L. (1984). Essays on moral development: The psychology of moral development (vol. 2). NewBrk: Harper & Row.
  • Krueger, N., & Dickson, P. R. (1994). How believing in ourselves increases risk taking: Perceived selfefficacy and opportunity recognition. Decision Sciences, 25(3), 385-400.
  • Lafree, G., Ducan, L., & Piquero, A. R. (2005). Testing a rational choice model of airline hijackings. Criminology, 43(4), 340-361.
  • Morgan, G. A., & Griego, O. V. (1998). Easy use and interpretation of SPSS for Windows: Answering research questions with statistics. Psychology Press.
  • Shore, B., Venkatachalam, A. R., Solorzano, E., Burn, J. M., Hassan, S. Z., & Janczewski, L. J. (2001). Softlifting and piracy: Behavior across cultures. Technology in Society, 23(4), 563-581.
  • Singleton, J., & Straits, B. C. (2005). Approaches to social research. New York, NY: Oxford University Press.
  • Siponen, M. T. (2000). A conceptual foundation for organizational information security awareness. Information Management & Computer Security, 8(1), 31-41.
  • Siponen, M. T. (2001). Five dimensions of information security awareness. Computers and Society, 31(2), 24-29.
  • Siponen, M. T. (2005). An analysis of the traditional IS security approaches: Implications for research and practice. European Journal of Information Systems, 14(3), 303-315.
  • Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34(3), 487.
  • Siponen, M., Pahnila, S., & Mahmood, A. (2006). Factors influencing protection motivation and IS security policy compliance. In Innovations in Information Technology (pp. 1-5). IEEE.
  • Siponen, M., Pahnila, S., & Mahmood, A. (2007). Employees’ adherence to information security policies: An empirical study. In New Approaches for Security, Privacy and Trust in Complex Environments (pp. 133-144). US: Springer.
  • Slay, J. (2003). IS security, trust and culture: A theoretical framework for managing IS security in multicultural settings. The Emerald Research Register, 20(3), 98-104.
  • Soares, A. M., Farhangmehr, M., & Shoham, A. (2007). Hofstede’s dimensions of culture in international marketing studies. Journal of Business Research, 60(3), 277-284.
  • Sommestad, T., Hallberg, J., Lundholm, K., & Bengtsson, J. (2014). Variables influencing information security policy compliance: A systematic review of quantitative studies. Information Management& Computer Security, 22(1), 42-75.
  • Son, J. Y. (2011). Out of fear or desire? Toward a better understanding of employees’ motivation to follow IS security policies. Information & Management, 48(7), 296-302.
  • Straub, D. W., & Nance, W. D. (1990). Discovering and disciplining computer abuse in organizations: A field study. MIS Quarterly, 45-60.
  • Straub, D. W. (1994). The effect of culture on IT diffusion: E-Mail and FAX in Japan and the US. Information Systems Research, 5(1), 23-47.
  • Straub, D. W., & Welke, R. J. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 441-469.
  • Straub, D. W., Boudreau, M. C., & Gefen, D. (2004). Validation guidelines for IS positivist research. The Communications of the Association for Information Systems, 13(1), 63.
  • Zhang, Z., Wong, D. S., Xu, J., & Feng, D. (2006, June). Certificateless public-key signature: Security model and efficient construction. In International Conference on Applied Cryptography and Network Security (pp. 293-308). Springer Berlin Heidelberg.

Abstract Views: 51

PDF Views: 0




  • Investigating the Influence of Ethiopian National Culture on Information Security Policy (ISP) Violation : The Case of the Ethiopian Financial Institutions

Abstract Views: 51  |  PDF Views: 0

Authors

Dakito Alemu Kesto
Accounting & Finance Program Unit, School of Commerce, CoBE, Addis Ababa University, Ethiopia
Tilahun Muluneh
Addis Ababa University, Ethiopia

Abstract


Nowadays, it is clear that information security is one of the most basic issues that organisations need to focus on. Despite huge investments made by companies to keep their information systems safe, there are many information security breaches that infiltrate companies’ systems; consequently, these cost them their reputation, affect customers’ confidence, and bring huge financial losses. Ethiopian companies are not immune to this security problem, and there are many signs of information security breaches. The literature suggests that almost all investments in information security related issues are for technological solutions. However, this type of solutions alone do not work well, and according to some researchers, there is one significant element that has been given very little attention, the human factor. Most of the information security breaches are caused by employees who are legitimate users of the company’s systems. So ‘how can we counter the illegal action of our own employees?’ is the main objective this study tried to address. The findings showed strong evidence on the influence of contextual factors and national culture, on employees’ information security behaviour, and consequently, it highlighted the importance of taking some level of precaution when organisations introduce new policies or standards that are copied from abroad. Policy makers and ISS managers in Ethiopia, particularly at the Information Network Security Agency (INSA), can learn how important it is to modify or adapt their ISP, which was copied from ISO 27002, based on the findings of this study.

Keywords


Contextual Factors, National Culture, Employees’ Information Security Behaviour, Financial Institutions, Information Systems Security.

References