the influence of national and organizational culture on information system security design

Markus Geissler, PhDProfessor, Computer Information ScienceCosumnes River CollegeSacramento, California, USA

What is Culture?Hofstede’s Cultural DimensionsNational vs. organizational cultureComponents of Information System

Security Information System Security Design

ConsiderationsExamples

The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.

Culture refers to the cumulative deposit of knowledge, experience, beliefs, values, attitudes, meanings, hierarchies, religion, notions of time, roles, spatial relations, concepts of the universe, and material objects and possessions acquired by a group of people in the course of generations through individual and group striving. (Hofstede, 1997)


Not yet, but… (Click here for evidence.)

Artificial intelligence will give computers the capability to develop cultural traits over time. Until then the only “culture” that computers

have will be derived from the traits given to them by their designers, creators and programmers.

Information systems will comprise the Group component of culture.


Dutch anthropologist Did research for IBM

in 1970s to help prepare managers for expatriate assignments

Developed a reference framework of cultural dimensions for national cultures

Leads consulting firm ITIM International

Photo by Daphne Dumoulin


Four plus one indexes of national culture Power Distance (PDI) Individualism/Collectivism (IDV) Masculinity/Femininity (MAS) Uncertainty Avoidance (UAI) Long-term Orientation (LTO)▪ Confucian Dynamism▪ Added later


“the extent to which the less powerful members of organizations and institutions (like the family) accept and expect that power is distributed unequally.” Leads to wealthier and better educated

populations Low-PDI countries use technology more,

but with “a more critical attitude”▪ High-PDI countries need less technology


Low-PDICountry PDI IDV MAS UAIAustria11 55 79 70Denmark 18 74 16 23

High-PDICountry PDI IDV MAS UAIPhilippines 94 32 64 44Mexico81 30 69 82Venezuela 81 12 73 76


Individualists Ties between individuals are loose. Everyone is expected to look after

him/herself and his/her immediate family. Collectivists

People from birth onwards are integrated into strong, cohesive in-groups, often extended families.

Protection in exchange for unquestioning loyalty.


Low-IDVCountry PDI IDV MAS UAIVenezuela 81 12 73 76Peru 65 16 42 87Korea (Rep.) 60 18 39 85

High-IDVCountry PDI IDV MAS UAIUnited States 40 91 62 46Australia 36 90 61 51


“The distribution of roles between the genders which is another fundamental issue for any society to which a range of solutions are found.”

Masculinity Assertive

Femininity Modest, caring


Low-MASCountry PDI IDV MASUAISweden 31 71 5 29Norway 31 69 8 50

High-MASCountry PDI IDV MASUAIJapan 54 46 95 92Venezuela 81 12 73 76


“A society's tolerance for uncertainty and ambiguity” “Indicates to what extent a culture programs

its members to feel either uncomfortable or comfortable in unstructured situations.”▪ (Hofstede, 2001)

“Uncertainty avoiding [high-UAI] cultures try to minimize the possibility of such situations by strict laws and rules, safety and security measures…”▪ (Hofstede, 2009)


Low-UAICountry PDI IDV MAS UAIDenmark 18 74 16 23Sweden 31 71 5 29

High-UAICountry PDI IDV MAS UAIPortugal 63 27 31 104Uruguay 61 36 38 100


Long Term Orientation Thrift and perseverance

Short Term Orientation Respect for tradition Fulfilling social obligations Protecting one's 'face'

Hofstede developed this dimension later, following additional research.


Country PDI IDV MASUAI

Estonia* 40 60 30 60Finland 33 63 26 59Germany 35 67 66 65Switzerland 34 68 70 58

* Estimated values

Source: Geert Hofstede™ Cultural Dimensions,http://www.geert-hofstede.com/hofstede_dimensions.php


Country PDI IDV MAS UAI LTO

Estonia* 40 60 30 60 N/ALatvia 44 70 21 63 25Lithuania 42 60 9 65 30Finland 33 63 26 59 41Sweden 31 71 5 29 33Norway 31 69 8 50 44

* Estimated values

Sources: Geert Hofstede™ Cultural Dimensions,http://www.geert-hofstede.com/hofstede_dimensions.php


Our national culture relates to our deeply held values regarding, for example good vs. evil, normal vs. abnormal, safe vs. dangerous, and rational vs. irrational.

National cultural values are learned early, held deeply and change slowly over the course of generations. (attributed to G. Hofstede)


Organizational culture is comprised of broad guidelines which are rooted in organizational practices learned on the job. (attributed to G. Hofstede)


But if these [organizational] priorities and leadership traits go against the deeply held national cultural values of employees, corporate values (processes and practices) will be undermined. (attributed to G. Hofstede)


What is appropriate in one national setting is wholly offensive in another.

What is rational in one national setting is wholly irrational in another.

And, corporate culture never trumps national culture. (attributed to G. Hofstede)


“The answer, then, lies … in overlaying and harmonizing local interpretations of corporate practices to cultural norms.” (attributed to G. Hofstede)


Describes broad-brush cultural differences between societies. (Beer, 2003)

Terms popularized by Edward T. Hall, anthropologist and cross-cultural researcher Died in July 2009 in Santa Fe, New

MexicoThe Influence of National and Organizational Culture on Information System Security Design –

Markus Geissler, Ph.D.

High context refers to societies or groups where people have close connections over a long period of time. Many aspects of cultural behavior are not made explicit because most members know what to do and what to think from years of interaction with each other. Your family is probably an example of a high context environment. (Beer, 2003)


Low context refers to societies where people tend to have many connections but of shorter duration or for some specific reason. In these societies, cultural behavior and beliefs may need to be spelled out explicitly so that those coming into the cultural environment know how to behave. (Beer, 2003)

Information systems are low-context groups.


“The term ‘information security’ means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide (A) integrity, … (B) confidentiality, … and (C) availability.▪ (U.S. Code, Title 44, Chapter 35, Subchapter III, § 3542)


Guarding against improper information modification or destruction

Includes ensuring information nonrepudiation and authenticity Nonrepudiation means to ensure that a

transferred message has been sent and received by the parties claiming to have sent and received the message

Authenticity is the quality or state of being genuine or original, rather than a reproduction of fabrication.▪ (Whitman & Mattord, 2009)


Preserving authorized restrictions on access and disclosure

Includes means for protecting personal privacy and proprietary information (U.S. Code, Title 44, Chapter 35, Subchapter III,

§ 3542)


Ensuring timely and reliable access to and use of information. (U.S. Code, Title 44, Chapter 35, Subchapter III,

§ 3542)


Information System Security Design must therefore be based on national culture first, and then on organizational practices.

“A culture with a strong, positive emphasis on security helps people recognize the importance of following good security practices and adhering to policies.” (Perrinn, 2008)


Task 1: Research the preferences of the national culture(s) and internal practices of the organization for which you need to design secure information systems.

Task 2: Design security interfaces that make it feel “easier and more natural for users to do the right thing for security…” (Perrinn, 2008)


Integrate security features into each information system from the beginning. Greater security does not imply lower

usability. If security was an afterthought and is

perceived as an add-on… Low-MAS cultures will be less likely to feel

comfortable with it. High-IDV cultures might disable security

features altogether.The Influence of National and Organizational Culture on Information System Security Design –


Interfaces between systems and devices require no cultural design considerations. As we determined earlier, neither computers

nor information systems have a culture in and of themselves at this time.

But the creators of information systems have probably inadvertently included some of their cultural biases. The security designer’s sensitivity to those

biases should result in better integration and a better user experience.


Users from high-UAI cultures need the message to be displayed very prominently and contain easily understandable directions.

Users from high-PDI cultures expect firm instructions.

Users from low-MAS cultures need to feel that the message sender cares about them.

If using colors, ensure that messages meet with cultural color norms.


When dealing with users of a high-UAI cultural background, go to great lengths to educate them about the security features used in your information systems. Integrate all commonly expected security

tools Place explanatory comments and/or images

near “Submit” buttons. Create extensive and easily accessible FAQs

for users.The Influence of National and Organizational Culture on Information System Security Design –


If your organization has a strong internal culture, integrate your information system’s security standards with others already in use. … unless you have a significant reason not to.▪ Technical, cultural, organizational

If your corporate systems need to be upgraded with new security features, implement new standards for all information systems, if possible.


Bagchi, K., Hart, P. & Peterson, M. F. (2004). National culture and information technology product adoption. Journal of Global Information Technology Management 7(4), 29-46.

Beer, J. (2003). Communicating Across Cultures: High and Low Context. Retrieved February 22, 2010 from http://www.culture-at-work.com/highlow.html . The Influence of National and Organizational Culture on Information System Security Design –


Hofstede, G. (2009). Geert Hofstede™ Cultural Dimensions. Retrieved February 22, 2010 from http://www.geert-hofstede.com/ .

Hofstede, G. (2001). Culture’s consequences: comparing values, behaviors, institutions, and organizations across nations. Thousand Oaks, CA: Sage.

Hofstede, G. (1997). Cultures and Organizations: Software of the mind. New York: McGraw Hill.


Huettinger, M. (2006), “Cultural dimensions in business life: Hofstede’s indices for Latvia and Lithuania”, Baltic Journal of Management, Vol. 3 No. 3, pp. 359-376.

Perrin, C. (2008). Interface design is security design. TechRepublic. Retrieved February 22, 2010 from http://blogs.techrepublic.com.com/security/?p=390 . The Influence of National and Organizational Culture on Information System Security Design –


U.S. Code, Title 44, Chapter 35, Subchapter III, § 3542. Downloaded February 22, 2010 from http://www.law.cornell.edu/uscode/44/3542.html .

Whitman, M.E. & Mattord, H.J. (2009). Principles of Information Security (3rd ed.). Boston, MA: Course Technology.


What are Hofstede’s Cultural Dimensions? P______, I______, M______, U______, L______

Which is more important for IS security design? National or organizational culture?

Do computers/information systems have culture?

What are the differences between high-context and low-context societies?

What are the three main components of information system security (U.S. Code)?


the influence of national and organizational culture on information system security design

Documents

information systems

group component of culture

cultural traits

group striving

group of people

notions of time

hisher immediate family

daphne dumoulin