Title: The Influence of National and Organizational Culture on Information System Security Design
1The Influence of National and Organizational
Culture on Information System Security Design
- Markus Geissler, PhD
- Professor, Computer Information Science
- Cosumnes River College
- Sacramento, California, USA
2Overview
- What is Culture?
- Hofstedes Cultural Dimensions
- National vs. organizational culture
- Components of Information System Security
- Information System Security Design Considerations
- Examples
3Definition of Culture
- Culture refers to the cumulative deposit of
knowledge, experience, beliefs, values,
attitudes, meanings, hierarchies, religion,
notions of time, roles, spatial relations,
concepts of the universe, and material objects
and possessions acquired by a group of people in
the course of generations through individual and
group striving. - (Hofstede, 1997)
4Do Computers Have Culture?
- Not yet, but (Click here for evidence.)
- Artificial intelligence will give computers the
capability to develop cultural traits over time. - Until then the only culture that computers have
will be derived from the traits given to them by
their designers, creators and programmers. - Information systems will comprise the Group
component of culture.
5Geert Hofstede
- Dutch anthropologist
- Did research for IBM in 1970s to help prepare
managers for expatriate assignments - Developed a reference framework of cultural
dimensions for national cultures - Leads consulting firm ITIM International
Photo by Daphne Dumoulin
6Hofstedes Cultural Dimensions
- Four plus one indexes of national culture
- Power Distance (PDI)
- Individualism/Collectivism (IDV)
- Masculinity/Femininity (MAS)
- Uncertainty Avoidance (UAI)
- Long-term Orientation (LTO)
- Confucian Dynamism
- Added later
7Power Distance (PDI)
- the extent to which the less powerful members of
organizations and institutions (like the family)
accept and expect that power is distributed
unequally. - Leads to wealthier and better educated
populations - Low-PDI countries use technology more, but with
a more critical attitude - High-PDI countries need less technology
8Sample PDI index values
- Low-PDI
- Country PDI IDV MAS UAI
- Austria 11 55 79 70
- Denmark 18 74 16 23
- High-PDI
- Country PDI IDV MAS UAI
- Philippines 94 32 64 44
- Mexico 81 30 69 82
- Venezuela 81 12 73 76
9Individualism/Collectivism (IDV)
- Individualists
- Ties between individuals are loose.
- Everyone is expected to look after him/herself
and his/her immediate family. - Collectivists
- People from birth onwards are integrated into
strong, cohesive in-groups, often extended
families. - Protection in exchange for unquestioning loyalty.
10Sample IDV index values
- Low-IDV
- Country PDI IDV MAS UAI
- Venezuela 81 12 73 76
- Peru 65 16 42 87
- Korea (Rep.) 60 18 39 85
- High-IDV
- Country PDI IDV MAS UAI
- United States 40 91 62 46
- Australia 36 90 61 51
11Masculinity/Femininity (MAS)
- The distribution of roles between the genders
which is another fundamental issue for any
society to which a range of solutions are found. - Masculinity
- Assertive
- Femininity
- Modest, caring
12Sample MAS index values
- Low-MAS
- Country PDI IDV MAS UAI
- Sweden 31 71 5 29
- Norway 31 69 8 50
- High-MAS
- Country PDI IDV MAS UAI
- Japan 54 46 95 92
- Venezuela 81 12 73 76
13Uncertainty Avoidance (UAI)
- A society's tolerance for uncertainty and
ambiguity - Indicates to what extent a culture programs its
members to feel either uncomfortable or
comfortable in unstructured situations. - (Hofstede, 2001)
- Uncertainty avoiding high-UAI cultures try to
minimize the possibility of such situations by
strict laws and rules, safety and security
measures - (Hofstede, 2009)
14Sample UAI index values
- Low-UAI
- Country PDI IDV MAS UAI
- Denmark 18 74 16 23
- Sweden 31 71 5 29
- High-UAI
- Country PDI IDV MAS UAI
- Portugal 63 27 31 104
- Uruguay 61 36 38 100
15Long-Term Orientation (LTO)
- Long Term Orientation
- Thrift and perseverance
- Short Term Orientation
- Respect for tradition
- Fulfilling social obligations
- Protecting one's 'face'
- Hofstede developed this dimension later,
following additional research.
16Estonias index valuesand countries with similar
values
- Country PDI IDV MAS UAI
- Estonia 40 60 30 60
- Finland 33 63 26 59
- Germany 35 67 66 65
- Switzerland 34 68 70 58
- Estimated values
- Source Geert Hofstede Cultural
Dimensions,http//www.geert-hofstede.com/hofstede
_dimensions.php
17Estonias index valuescompared to neighboring
countries
- Country PDI IDV MAS UAI LTO
- Estonia 40 60 30 60 N/A
- Latvia 44 70 21 63 25
- Lithuania 42 60 9 65 30
- Finland 33 63 26 59 41
- Sweden 31 71 5 29 33
- Norway 31 69 8 50 44
- Estimated values
- Sources Geert Hofstede Cultural
Dimensions,http//www.geert-hofstede.com/hofstede
_dimensions.php
18National Culture
- Our national culture relates to our deeply held
values regarding, for example - good vs. evil,
- normal vs. abnormal,
- safe vs. dangerous, and
- rational vs. irrational.
- National cultural values are learned early, held
deeply and change slowly over the course of
generations. - (attributed to G. Hofstede)
19Organizational Culture
- Organizational culture is comprised of broad
guidelines which are rooted in organizational
practices learned on the job. - (attributed to G. Hofstede)
20National vs. Organizational Culture
- But if these organizational priorities and
leadership traits go against the deeply held
national cultural values of employees, corporate
values (processes and practices) will be
undermined. - (attributed to G. Hofstede)
21National vs. Organizational Culture
- What is appropriate in one national setting is
wholly offensive in another. - What is rational in one national setting is
wholly irrational in another. - And, corporate culture never trumps national
culture. - (attributed to G. Hofstede)
22Organizational Practices vs. Cultural Norms
- The answer, then, lies in overlaying and
harmonizing local interpretations of corporate
practices to cultural norms. - (attributed to G. Hofstede)
23High-Context vs. Low-Context
- Describes broad-brush cultural differences
between societies. - (Beer, 2003)
- Terms popularized by Edward T. Hall,
anthropologist and cross-cultural researcher - Died in July 2009 in Santa Fe, New Mexico
24High-Context Societies
- High context refers to societies or groups where
people have close connections over a long period
of time. Many aspects of cultural behavior are
not made explicit because most members know what
to do and what to think from years of interaction
with each other. Your family is probably an
example of a high context environment. - (Beer, 2003)
25Low-Context Societies
- Low context refers to societies where people tend
to have many connections but of shorter duration
or for some specific reason. In these societies,
cultural behavior and beliefs may need to be
spelled out explicitly so that those coming into
the cultural environment know how to behave. - (Beer, 2003)
- Information systems are low-context groups.
26Definition ofInformation System Security
- The term information security means protecting
information and information systems from
unauthorized access, use, disclosure, disruption,
modification, or destruction in order to provide - (A) integrity,
- (B) confidentiality, and
- (C) availability.
- (U.S. Code, Title 44, Chapter 35, Subchapter III,
3542)
27Integrity
- Guarding against improper information
modification or destruction - Includes ensuring information nonrepudiation and
authenticity - Nonrepudiation means to ensure that a transferred
message has been sent and received by the parties
claiming to have sent and received the message - Authenticity is the quality or state of being
genuine or original, rather than a reproduction
of fabrication. - (Whitman Mattord, 2009)
28Confidentiality
- Preserving authorized restrictions on access and
disclosure - Includes means for protecting personal privacy
and proprietary information - (U.S. Code, Title 44, Chapter 35, Subchapter III,
3542)
29Availability
- Ensuring timely and reliable access to and use of
information. - (U.S. Code, Title 44, Chapter 35, Subchapter III,
3542)
30Information System Security Design Requirements
- Information System Security Design must therefore
be based on national culture first, and then on
organizational practices. - A culture with a strong, positive emphasis on
security helps people recognize the importance of
following good security practices and adhering to
policies. - (Perrinn, 2008)
31Security Design Preparation
- Task 1 Research the preferences of the national
culture(s) and internal practices of the
organization for which you need to design secure
information systems. - Task 2 Design security interfaces that make it
feel easier and more natural for users to do the
right thing for security - (Perrinn, 2008)
32Information System Security Design
- Integrate security features into each information
system from the beginning. - Greater security does not imply lower usability.
- If security was an afterthought and is perceived
as an add-on - Low-MAS cultures will be less likely to feel
comfortable with it. - High-IDV cultures might disable security features
altogether.
33Security Infrastructure Design
- Interfaces between systems and devices require no
cultural design considerations. - As we determined earlier, neither computers nor
information systems have a culture in and of
themselves at this time. - But the creators of information systems have
probably inadvertently included some of their
cultural biases. - The security designers sensitivity to those
biases should result in better integration and a
better user experience.
34Formulating Security-related Messages to Users of
IS
- Users from high-UAI cultures need the message to
be displayed very prominently and contain easily
understandable directions. - Users from high-PDI cultures expect firm
instructions. - Users from low-MAS cultures need to feel that the
message sender cares about them. - If using colors, ensure that messages meet with
cultural color norms.
35Example 1 High-UAI cultures
- When dealing with users of a high-UAI cultural
background, go to great lengths to educate them
about the security features used in your
information systems. - Integrate all commonly expected security tools
- Place explanatory comments and/or images near
Submit buttons. - Create extensive and easily accessible FAQs for
users.
36Example 2 Organizational Cultures
- If your organization has a strong internal
culture, integrate your information systems
security standards with others already in use. - unless you have a significant reason not to.
- Technical, cultural, organizational
- If your corporate systems need to be upgraded
with new security features, implement new
standards for all information systems, if
possible.
37Bibliography
- Bagchi, K., Hart, P. Peterson, M. F. (2004).
National culture and information technology
product adoption. Journal of Global Information
Technology Management 7(4), 29-46. - Beer, J. (2003). Communicating Across Cultures
High and Low Context. Retrieved February 22, 2010
from http//www.culture-at-work.com/highlow.html .
38Bibliography (continued)
- Hofstede, G. (2009). Geert Hofstede Cultural
Dimensions. Retrieved February 22, 2010 from
http//www.geert-hofstede.com/ . - Hofstede, G. (2001). Cultures consequences
comparing values, behaviors, institutions, and
organizations across nations. Thousand Oaks, CA
Sage. - Hofstede, G. (1997). Cultures and Organizations
Software of the mind. New York McGraw Hill.
39Bibliography (continued)
- Huettinger, M. (2006), Cultural dimensions in
business life Hofstedes indices for Latvia and
Lithuania, Baltic Journal of Management, Vol. 3
No. 3, pp. 359-376. - Perrin, C. (2008). Interface design is security
design. TechRepublic. Retrieved February 22, 2010
from http//blogs.techrepublic.com.com/security/?p
390 .
40Bibliography (continued)
- U.S. Code, Title 44, Chapter 35, Subchapter III,
3542. Downloaded February 22, 2010 from
http//www.law.cornell.edu/uscode/44/3542.html . - Whitman, M.E. Mattord, H.J. (2009). Principles
of Information Security (3rd ed.). Boston, MA
Course Technology.
41Did you pay attention?
- What are Hofstedes Cultural Dimensions?
- P______, I______, M______, U______, L______
- Which is more important for IS security design?
National or organizational culture? - Do computers/information systems have culture?
- What are the differences between high-context and
low-context societies? - What are the three main components of information
system security (U.S. Code)?