420 likes | 651 Views
Markus Geissler, PhD Professor, Computer Information Science Cosumnes River College Sacramento, California, USA. The Influence of National and Organizational Culture on Information System Security Design. Overview. What is Culture? Hofstede’s Cultural Dimensions
E N D
Markus Geissler, PhD Professor, Computer Information Science Cosumnes River College Sacramento, California, USA The Influence of National and Organizational Culture on Information System Security Design
Overview • What is Culture? • Hofstede’s Cultural Dimensions • National vs. organizational culture • Components of Information System Security • Information System Security Design Considerations • Examples The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Definition of Culture • Culture refers to the cumulative deposit of knowledge, experience, beliefs, values, attitudes, meanings, hierarchies, religion, notions of time, roles, spatial relations, concepts of the universe, and material objects and possessions acquired by a group of people in the course of generations through individual and group striving. • (Hofstede, 1997) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Do Computers Have Culture? • Not yet, but… (Click here for evidence.) • Artificial intelligence will give computers the capability to develop cultural traits over time. • Until then the only “culture” that computers have will be derived from the traits given to them by their designers, creators and programmers. • Information systems will comprise the Group component of culture. The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Geert Hofstede • Dutch anthropologist • Did research for IBM in 1970s to help prepare managers for expatriate assignments • Developed a reference framework of cultural dimensions for national cultures • Leads consulting firm ITIM International Photo by Daphne Dumoulin The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Hofstede’s Cultural Dimensions • Four plus one indexes of national culture • Power Distance (PDI) • Individualism/Collectivism (IDV) • Masculinity/Femininity (MAS) • Uncertainty Avoidance (UAI) • Long-term Orientation (LTO) • Confucian Dynamism • Added later The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Power Distance (PDI) • “the extent to which the less powerful members of organizations and institutions (like the family) accept and expect that power is distributed unequally.” • Leads to wealthier and better educated populations • Low-PDI countries use technology more, but with “a more critical attitude” • High-PDI countries need less technology The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Sample PDI index values • Low-PDI Country PDI IDV MAS UAI Austria 11 55 79 70 Denmark 18 74 16 23 • High-PDI Country PDI IDV MAS UAI Philippines 94 32 64 44 Mexico 81 30 69 82 Venezuela 81 12 73 76 The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Individualism/Collectivism (IDV) • Individualists • Ties between individuals are loose. • Everyone is expected to look after him/herself and his/her immediate family. • Collectivists • People from birth onwards are integrated into strong, cohesive in-groups, often extended families. • Protection in exchange for unquestioning loyalty. The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Sample IDV index values • Low-IDV Country PDI IDV MAS UAI Venezuela 81 12 73 76 Peru 65 16 42 87 Korea (Rep.) 60 18 39 85 • High-IDV Country PDI IDV MAS UAI United States 40 91 62 46 Australia 36 90 61 51 The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Masculinity/Femininity (MAS) • “The distribution of roles between the genders which is another fundamental issue for any society to which a range of solutions are found.” • Masculinity • Assertive • Femininity • Modest, caring The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Sample MAS index values • Low-MAS Country PDI IDV MAS UAI Sweden 31 71 5 29 Norway 31 69 8 50 • High-MAS Country PDI IDV MAS UAI Japan 54 46 95 92 Venezuela 81 12 73 76 The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Uncertainty Avoidance (UAI) • “A society's tolerance for uncertainty and ambiguity” • “Indicates to what extent a culture programs its members to feel either uncomfortable or comfortable in unstructured situations.” • (Hofstede, 2001) • “Uncertainty avoiding [high-UAI] cultures try to minimize the possibility of such situations by strict laws and rules, safety and security measures…” • (Hofstede, 2009) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Sample UAI index values • Low-UAI Country PDI IDV MAS UAI Denmark 18 74 16 23 Sweden 31 71 5 29 • High-UAI Country PDI IDV MAS UAI Portugal 63 27 31 104 Uruguay 61 36 38 100 The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Long-Term Orientation (LTO) • Long Term Orientation • Thrift and perseverance • Short Term Orientation • Respect for tradition • Fulfilling social obligations • Protecting one's 'face' • Hofstede developed this dimension later, following additional research. The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Estonia’s index valuesand countries with similar values Country PDI IDV MAS UAI Estonia* 40 60 30 60 Finland 33 63 26 59 Germany 35 67 66 65 Switzerland 34 68 70 58 * Estimated values • Source: Geert Hofstede™ Cultural Dimensions,http://www.geert-hofstede.com/hofstede_dimensions.php The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Estonia’s index valuescompared to neighboring countries Country PDI IDV MAS UAI LTO Estonia* 40 60 30 60 N/A Latvia 44 70 21 63 25 Lithuania 42 60 9 65 30 Finland 33 63 26 59 41 Sweden 31 71 5 29 33 Norway 31 69 8 50 44 * Estimated values • Sources: Geert Hofstede™ Cultural Dimensions,http://www.geert-hofstede.com/hofstede_dimensions.php The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
National Culture • Our national culture relates to our deeply held values regarding, for example • good vs. evil, • normal vs. abnormal, • safe vs. dangerous, and • rational vs. irrational. • National cultural values are learned early, held deeply and change slowly over the course of generations. • (attributed to G. Hofstede) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Organizational Culture • Organizational culture is comprised of broad guidelines which are rooted in organizational practices learned on the job. • (attributed to G. Hofstede) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
National vs. Organizational Culture • But if these [organizational] priorities and leadership traits go against the deeply held national cultural values of employees, corporate values (processes and practices) will be undermined. • (attributed to G. Hofstede) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
National vs. Organizational Culture • What is appropriate in one national setting is wholly offensive in another. • What is rational in one national setting is wholly irrational in another. • And, corporate culture never trumps national culture. • (attributed to G. Hofstede) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Organizational Practices vs. Cultural Norms • “The answer, then, lies … in overlaying and harmonizing local interpretations of corporate practices to cultural norms.” • (attributed to G. Hofstede) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
High-Context vs. Low-Context • Describes broad-brush cultural differences between societies. • (Beer, 2003) • Terms popularized by Edward T. Hall, anthropologist and cross-cultural researcher • Died in July 2009 in Santa Fe, New Mexico The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
High-Context Societies • High context refers to societies or groups where people have close connections over a long period of time. Many aspects of cultural behavior are not made explicit because most members know what to do and what to think from years of interaction with each other. Your family is probably an example of a high context environment. • (Beer, 2003) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Low-Context Societies • Low context refers to societies where people tend to have many connections but of shorter duration or for some specific reason. In these societies, cultural behavior and beliefs may need to be spelled out explicitly so that those coming into the cultural environment know how to behave. • (Beer, 2003) • Information systems are low-context groups. The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Definition ofInformation System Security • “The term ‘information security’ means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide • (A) integrity, … • (B) confidentiality, … and • (C) availability. • (U.S. Code, Title 44, Chapter 35, Subchapter III, § 3542) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Integrity • Guarding against improper information modification or destruction • Includes ensuring information nonrepudiation and authenticity • Nonrepudiation means to ensure that a transferred message has been sent and received by the parties claiming to have sent and received the message • Authenticity is the quality or state of being genuine or original, rather than a reproduction of fabrication. • (Whitman & Mattord, 2009) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Confidentiality • Preserving authorized restrictions on access and disclosure • Includes means for protecting personal privacy and proprietary information • (U.S. Code, Title 44, Chapter 35, Subchapter III, § 3542) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Availability • Ensuring timely and reliable access to and use of information. • (U.S. Code, Title 44, Chapter 35, Subchapter III, § 3542) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Information System Security Design Requirements • Information System Security Design must therefore be based on national culture first, and then on organizational practices. • “A culture with a strong, positive emphasis on security helps people recognize the importance of following good security practices and adhering to policies.” • (Perrinn, 2008) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Security Design Preparation • Task 1: Research the preferences of the national culture(s) and internal practices of the organization for which you need to design secure information systems. • Task 2: Design security interfaces that make it feel “easier and more natural for users to do the right thing for security…” • (Perrinn, 2008) The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Information System Security Design • Integrate security features into each information system from the beginning. • Greater security does not imply lower usability. • If security was an afterthought and is perceived as an add-on… • Low-MAS cultures will be less likely to feel comfortable with it. • High-IDV cultures might disable security features altogether. The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Security Infrastructure Design • Interfaces between systems and devices require no cultural design considerations. • As we determined earlier, neither computers nor information systems have a culture in and of themselves at this time. • But the creators of information systems have probably inadvertently included some of their cultural biases. • The security designer’s sensitivity to those biases should result in better integration and a better user experience. The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Formulating Security-related Messages to Users of IS Users from high-UAI cultures need the message to be displayed very prominently and contain easily understandable directions. Users from high-PDI cultures expect firm instructions. Users from low-MAS cultures need to feel that the message sender cares about them. If using colors, ensure that messages meet with cultural color norms. The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Example 1: High-UAI cultures • When dealing with users of a high-UAI cultural background, go to great lengths to educate them about the security features used in your information systems. • Integrate all commonly expected security tools • Place explanatory comments and/or images near “Submit” buttons. • Create extensive and easily accessible FAQs for users. The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Example 2: Organizational Cultures • If your organization has a strong internal culture, integrate your information system’s security standards with others already in use. • … unless you have a significant reason not to. • Technical, cultural, organizational • If your corporate systems need to be upgraded with new security features, implement new standards for all information systems, if possible. The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Bibliography • Bagchi, K., Hart, P. & Peterson, M. F. (2004). National culture and information technology product adoption. Journal of Global Information Technology Management 7(4), 29-46. • Beer, J. (2003). Communicating Across Cultures: High and Low Context. Retrieved February 22, 2010 from http://www.culture-at-work.com/highlow.html . The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Bibliography (continued) • Hofstede, G. (2009). Geert Hofstede™ Cultural Dimensions. Retrieved February 22, 2010 from http://www.geert-hofstede.com/ . • Hofstede, G. (2001). Culture’s consequences: comparing values, behaviors, institutions, and organizations across nations. Thousand Oaks, CA: Sage. • Hofstede, G. (1997). Cultures and Organizations: Software of the mind. New York: McGraw Hill. The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Bibliography (continued) • Huettinger, M. (2006), “Cultural dimensions in business life: Hofstede’s indices for Latvia and Lithuania”, Baltic Journal of Management, Vol. 3 No. 3, pp. 359-376. • Perrin, C. (2008). Interface design is security design. TechRepublic. Retrieved February 22, 2010 from http://blogs.techrepublic.com.com/security/?p=390 . The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Bibliography (continued) U.S. Code, Title 44, Chapter 35, Subchapter III, § 3542. Downloaded February 22, 2010 from http://www.law.cornell.edu/uscode/44/3542.html . Whitman, M.E. & Mattord, H.J. (2009). Principles of Information Security (3rd ed.). Boston, MA: Course Technology. The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.
Did you pay attention? • What are Hofstede’s Cultural Dimensions? • P______, I______, M______, U______, L______ • Which is more important for IS security design? National or organizational culture? • Do computers/information systems have culture? • What are the differences between high-context and low-context societies? • What are the three main components of information system security (U.S. Code)? The Influence of National and Organizational Culture on Information System Security Design – Markus Geissler, Ph.D.