The Influence of National and Organizational Culture on Information System Security Design

1
The Influence of National and Organizational
Culture on Information System Security Design

• Markus Geissler, PhD
• Professor, Computer Information Science
• Cosumnes River College
• Sacramento, California, USA

2
Overview

• What is Culture?
• Hofstedes Cultural Dimensions
• National vs. organizational culture
• Components of Information System Security
• Information System Security Design Considerations
• Examples

3
Definition of Culture

• Culture refers to the cumulative deposit of
  knowledge, experience, beliefs, values,
  attitudes, meanings, hierarchies, religion,
  notions of time, roles, spatial relations,
  concepts of the universe, and material objects
  and possessions acquired by a group of people in
  the course of generations through individual and
  group striving.
• (Hofstede, 1997)

4
Do Computers Have Culture?

• Not yet, but (Click here for evidence.)
• Artificial intelligence will give computers the
  capability to develop cultural traits over time.
• Until then the only culture that computers have
  will be derived from the traits given to them by
  their designers, creators and programmers.
• Information systems will comprise the Group
  component of culture.

5
Geert Hofstede

• Dutch anthropologist
• Did research for IBM in 1970s to help prepare
  managers for expatriate assignments
• Developed a reference framework of cultural
  dimensions for national cultures
• Leads consulting firm ITIM International

Photo by Daphne Dumoulin
6
Hofstedes Cultural Dimensions

• Four plus one indexes of national culture
• Power Distance (PDI)
• Individualism/Collectivism (IDV)
• Masculinity/Femininity (MAS)
• Uncertainty Avoidance (UAI)
• Long-term Orientation (LTO)
• Confucian Dynamism
• Added later

7
Power Distance (PDI)

• the extent to which the less powerful members of
  organizations and institutions (like the family)
  accept and expect that power is distributed
  unequally.
• Leads to wealthier and better educated
  populations
• Low-PDI countries use technology more, but with
  a more critical attitude
• High-PDI countries need less technology

8
Sample PDI index values

• Low-PDI
• Country PDI IDV MAS UAI
• Austria 11 55 79 70
• Denmark 18 74 16 23
• High-PDI
• Country PDI IDV MAS UAI
• Philippines 94 32 64 44
• Mexico 81 30 69 82
• Venezuela 81 12 73 76

9
Individualism/Collectivism (IDV)

• Individualists
• Ties between individuals are loose.
• Everyone is expected to look after him/herself
  and his/her immediate family.
• Collectivists
• People from birth onwards are integrated into
  strong, cohesive in-groups, often extended
  families.
• Protection in exchange for unquestioning loyalty.

10
Sample IDV index values

• Low-IDV
• Country PDI IDV MAS UAI
• Venezuela 81 12 73 76
• Peru 65 16 42 87
• Korea (Rep.) 60 18 39 85
• High-IDV
• Country PDI IDV MAS UAI
• United States 40 91 62 46
• Australia 36 90 61 51

11
Masculinity/Femininity (MAS)

• The distribution of roles between the genders
  which is another fundamental issue for any
  society to which a range of solutions are found.
• Masculinity
• Assertive
• Femininity
• Modest, caring

12
Sample MAS index values

• Low-MAS
• Country PDI IDV MAS UAI
• Sweden 31 71 5 29
• Norway 31 69 8 50
• High-MAS
• Country PDI IDV MAS UAI
• Japan 54 46 95 92
• Venezuela 81 12 73 76

13
Uncertainty Avoidance (UAI)

• A society's tolerance for uncertainty and
  ambiguity
• Indicates to what extent a culture programs its
  members to feel either uncomfortable or
  comfortable in unstructured situations.
• (Hofstede, 2001)
• Uncertainty avoiding high-UAI cultures try to
  minimize the possibility of such situations by
  strict laws and rules, safety and security
  measures
• (Hofstede, 2009)

14
Sample UAI index values

• Low-UAI
• Country PDI IDV MAS UAI
• Denmark 18 74 16 23
• Sweden 31 71 5 29
• High-UAI
• Country PDI IDV MAS UAI
• Portugal 63 27 31 104
• Uruguay 61 36 38 100

15
Long-Term Orientation (LTO)

• Long Term Orientation
• Thrift and perseverance
• Short Term Orientation
• Respect for tradition
• Fulfilling social obligations
• Protecting one's 'face'
• Hofstede developed this dimension later,
  following additional research.

16
Estonias index valuesand countries with similar
values

• Country PDI IDV MAS UAI
• Estonia 40 60 30 60
• Finland 33 63 26 59
• Germany 35 67 66 65
• Switzerland 34 68 70 58
• Estimated values
• Source Geert Hofstede Cultural
  Dimensions,http//www.geert-hofstede.com/hofstede
  _dimensions.php

17
Estonias index valuescompared to neighboring
countries

• Country PDI IDV MAS UAI LTO
• Estonia 40 60 30 60 N/A
• Latvia 44 70 21 63 25
• Lithuania 42 60 9 65 30
• Finland 33 63 26 59 41
• Sweden 31 71 5 29 33
• Norway 31 69 8 50 44
• Estimated values
• Sources Geert Hofstede Cultural
  Dimensions,http//www.geert-hofstede.com/hofstede
  _dimensions.php

18
National Culture

• Our national culture relates to our deeply held
  values regarding, for example
• good vs. evil,
• normal vs. abnormal,
• safe vs. dangerous, and
• rational vs. irrational.
• National cultural values are learned early, held
  deeply and change slowly over the course of
  generations.
• (attributed to G. Hofstede)

19
Organizational Culture

• Organizational culture is comprised of broad
  guidelines which are rooted in organizational
  practices learned on the job.
• (attributed to G. Hofstede)

20
National vs. Organizational Culture

• But if these organizational priorities and
  leadership traits go against the deeply held
  national cultural values of employees, corporate
  values (processes and practices) will be
  undermined.
• (attributed to G. Hofstede)

21
National vs. Organizational Culture

• What is appropriate in one national setting is
  wholly offensive in another.
• What is rational in one national setting is
  wholly irrational in another.
• And, corporate culture never trumps national
  culture.
• (attributed to G. Hofstede)

22
Organizational Practices vs. Cultural Norms

• The answer, then, lies in overlaying and
  harmonizing local interpretations of corporate
  practices to cultural norms.
• (attributed to G. Hofstede)

23
High-Context vs. Low-Context

• Describes broad-brush cultural differences
  between societies.
• (Beer, 2003)
• Terms popularized by Edward T. Hall,
  anthropologist and cross-cultural researcher
• Died in July 2009 in Santa Fe, New Mexico

24
High-Context Societies

• High context refers to societies or groups where
  people have close connections over a long period
  of time. Many aspects of cultural behavior are
  not made explicit because most members know what
  to do and what to think from years of interaction
  with each other. Your family is probably an
  example of a high context environment.
• (Beer, 2003)

25
Low-Context Societies

• Low context refers to societies where people tend
  to have many connections but of shorter duration
  or for some specific reason. In these societies,
  cultural behavior and beliefs may need to be
  spelled out explicitly so that those coming into
  the cultural environment know how to behave.
• (Beer, 2003)
• Information systems are low-context groups.

26
Definition ofInformation System Security

• The term information security means protecting
  information and information systems from
  unauthorized access, use, disclosure, disruption,
  modification, or destruction in order to provide
• (A) integrity,
• (B) confidentiality, and
• (C) availability.
• (U.S. Code, Title 44, Chapter 35, Subchapter III,
  3542)

27
Integrity

• Guarding against improper information
  modification or destruction
• Includes ensuring information nonrepudiation and
  authenticity
• Nonrepudiation means to ensure that a transferred
  message has been sent and received by the parties
  claiming to have sent and received the message
• Authenticity is the quality or state of being
  genuine or original, rather than a reproduction
  of fabrication.
• (Whitman Mattord, 2009)

28
Confidentiality

• Preserving authorized restrictions on access and
  disclosure
• Includes means for protecting personal privacy
  and proprietary information
• (U.S. Code, Title 44, Chapter 35, Subchapter III,
  3542)

29
Availability

• Ensuring timely and reliable access to and use of
  information.
• (U.S. Code, Title 44, Chapter 35, Subchapter III,
  3542)

30
Information System Security Design Requirements

• Information System Security Design must therefore
  be based on national culture first, and then on
  organizational practices.
• A culture with a strong, positive emphasis on
  security helps people recognize the importance of
  following good security practices and adhering to
  policies.
• (Perrinn, 2008)

31
Security Design Preparation

• Task 1 Research the preferences of the national
  culture(s) and internal practices of the
  organization for which you need to design secure
  information systems.
• Task 2 Design security interfaces that make it
  feel easier and more natural for users to do the
  right thing for security
• (Perrinn, 2008)

32
Information System Security Design

• Integrate security features into each information
  system from the beginning.
• Greater security does not imply lower usability.
• If security was an afterthought and is perceived
  as an add-on
• Low-MAS cultures will be less likely to feel
  comfortable with it.
• High-IDV cultures might disable security features
  altogether.

33
Security Infrastructure Design

• Interfaces between systems and devices require no
  cultural design considerations.
• As we determined earlier, neither computers nor
  information systems have a culture in and of
  themselves at this time.
• But the creators of information systems have
  probably inadvertently included some of their
  cultural biases.
• The security designers sensitivity to those
  biases should result in better integration and a
  better user experience.

34
Formulating Security-related Messages to Users of
IS

• Users from high-UAI cultures need the message to
  be displayed very prominently and contain easily
  understandable directions.
• Users from high-PDI cultures expect firm
  instructions.
• Users from low-MAS cultures need to feel that the
  message sender cares about them.
• If using colors, ensure that messages meet with
  cultural color norms.

35
Example 1 High-UAI cultures

• When dealing with users of a high-UAI cultural
  background, go to great lengths to educate them
  about the security features used in your
  information systems.
• Integrate all commonly expected security tools
• Place explanatory comments and/or images near
  Submit buttons.
• Create extensive and easily accessible FAQs for
  users.

36
Example 2 Organizational Cultures

• If your organization has a strong internal
  culture, integrate your information systems
  security standards with others already in use.
• unless you have a significant reason not to.
• Technical, cultural, organizational
• If your corporate systems need to be upgraded
  with new security features, implement new
  standards for all information systems, if
  possible.

37
Bibliography

• Bagchi, K., Hart, P. Peterson, M. F. (2004).
  National culture and information technology
  product adoption. Journal of Global Information
  Technology Management 7(4), 29-46.
• Beer, J. (2003). Communicating Across Cultures
  High and Low Context. Retrieved February 22, 2010
  from http//www.culture-at-work.com/highlow.html .

38
Bibliography (continued)

• Hofstede, G. (2009). Geert Hofstede Cultural
  Dimensions. Retrieved February 22, 2010 from
  http//www.geert-hofstede.com/ .
• Hofstede, G. (2001). Cultures consequences
  comparing values, behaviors, institutions, and
  organizations across nations. Thousand Oaks, CA
  Sage.
• Hofstede, G. (1997). Cultures and Organizations
  Software of the mind. New York McGraw Hill.

39
Bibliography (continued)

• Huettinger, M. (2006), Cultural dimensions in
  business life Hofstedes indices for Latvia and
  Lithuania, Baltic Journal of Management, Vol. 3
  No. 3, pp. 359-376.
• Perrin, C. (2008). Interface design is security
  design. TechRepublic. Retrieved February 22, 2010
  from http//blogs.techrepublic.com.com/security/?p
  390 .

40
Bibliography (continued)

• U.S. Code, Title 44, Chapter 35, Subchapter III,
  3542. Downloaded February 22, 2010 from
  http//www.law.cornell.edu/uscode/44/3542.html .
• Whitman, M.E. Mattord, H.J. (2009). Principles
  of Information Security (3rd ed.). Boston, MA
  Course Technology.

41
Did you pay attention?

• What are Hofstedes Cultural Dimensions?
• P______, I______, M______, U______, L______
• Which is more important for IS security design?
  National or organizational culture?
• Do computers/information systems have culture?
• What are the differences between high-context and
  low-context societies?
• What are the three main components of information
  system security (U.S. Code)?