Post on 04-Apr-2022
An Investigation of the Factors that Influence
Information Security Culture in Government Organisations in
Bhutan
By
Sonam Tenzin
This thesis is presented to fulfil the requirements for the degree of Doctor of Information Technology
i
Author’s Declaration
I declare that this thesis is my own account of my research and contains as its main
content work which has not previously been submitted for a degree at any tertiary
education institution.
___________________________________
Sonam Tenzin
iii
Abstract
Adoption of information technology in organisations has increased the amount of data
and information being generated and stored. This information is essential for
individuals and organisations. Therefore, safeguarding information assets from
external and internal threats is of vital importance. Information security threats can be
categorised as technical and human- based threats, and human-based threats are major
sources of information security breaches in organisations (Glaspie & Karwowski,
2018). Large investments have been made by organisations to secure data and security
networks, but despite this, information security breaches as a result of human-based
action are on the rise (Ponemon, 2019).
Information security threats can be reduced by improving the information security
behaviour of employees. In addition, having an effective information security culture
is believed to contribute to improving information security behaviour. Information
security culture includes information security attitudes, assumptions, beliefs, values,
and knowledge that employees use when interacting with organisational information
assets and systems. To establish an effective information security culture, it is
important to identify and understand the key factors that influence information security
culture. This study therefore investigated the key factors that contribute to the
establishment of an effective information security culture and explored how
information security culture influences the information security behaviour of
employees. A research model was developed for the study based on an analysis of the
information security literature.
The target population for this research study is employees of government organisations
in Bhutan. Data was collected using an online questionnaire. Using responses collected
from 181 participants, the research model was tested using Partial Least Squares
Structural Equation Modelling (PLS- SEM). The research model explained a relatively
high proportion of the variability in information security culture (53.1%) but only
14.9% of the variability in information security behaviour. Six out of the nine
hypotheses were supported. Senior management support, information security
iv
policy, training and awareness campaigns, interpersonal trust, and job- versus
employee-oriented organisational culture were shown to be factors influencing
information security culture. This study also found that establishing an effective
information security culture contributes to good information security behaviour.
Identifying the role of interpersonal trust is particularly valuable as it extends the work
of Dang-Pham, Pittayachawan, and Bruno (2017) and clarifies the importance of
interpersonal trust in establishing an effective information security culture, and
through that good information security behaviour.
These findings will help government policy makers and information security
practitioners when designing and developing information security strategies and
programs. This will establish effective information security culture in organisations to
nurture good information security behaviour.
v
Table of Contents
CHAPTER 1 INTRODUCTION .......................................................................... 11.1 Background ............................................................................................................ 11.2 Problem statement .................................................................................................. 31.3 Research aim and questions ................................................................................... 61.4 Significance of the study ........................................................................................ 71.5 Research approach ................................................................................................. 81.6 Organisation of the thesis ....................................................................................... 9
CHAPTER 2 LITERATURE REVIEW ............................................................ 112.1 Introduction .......................................................................................................... 112.2 Background information on Bhutan ..................................................................... 11
2.2.1 State of information technology and e-Gov in Bhutan ............................ 132.2.2 Information communication technology and e-Gov challenges in Bhutan
................................................................................................................. 142.3 Information security ............................................................................................. 15
2.3.1 How is information security defined? ...................................................... 162.3.2 Information security threats and strategies .............................................. 17
2.4 Information security culture ................................................................................. 192.5 Factors influencing information security culture ................................................. 22
2.5.1 Senior management support .................................................................... 232.5.2 Training & awareness campaigns ............................................................ 242.5.3 Interpersonal trust .................................................................................... 252.5.4 Information security policy ...................................................................... 272.5.5 Organisational culture .............................................................................. 292.5.6 Other factors ............................................................................................ 33
2.6 Information security behaviour ............................................................................ 342.7 Chapter overview ................................................................................................. 35
CHAPTER 3 RESEARCH MODELS AND HYPOTHESES ......................... 373.1 Introduction .......................................................................................................... 373.2 Research questions ............................................................................................... 373.3 Constructs of interest ............................................................................................ 383.4 Research model and hypotheses ........................................................................... 403.5 Chapter overview ................................................................................................. 49
vi
CHAPTER 4 RESEARCH METHODOLOGY ................................................ 514.1 Introduction .......................................................................................................... 514.2 Research design .................................................................................................... 514.3 Participants ........................................................................................................... 524.4 Human ethics considerations ................................................................................ 534.5 Questionnaire development .................................................................................. 54
4.5.1 Demographic and background information ............................................. 544.5.2 Organisational culture .............................................................................. 574.5.3 Senior management support ..................................................................... 604.5.4 Training & awareness campaigns ............................................................ 604.5.5 Interpersonal trust .................................................................................... 614.5.6 Information security policy ...................................................................... 624.5.7 Information security culture ..................................................................... 624.5.8 Information security behaviour ................................................................ 63
4.6 Pre-testing ............................................................................................................. 644.7 Data collection procedure ..................................................................................... 654.8 Data analysis technique ........................................................................................ 66
4.8.1 Assessment of measurement model ......................................................... 664.8.1.1 Internal consistency ............................................................................ 684.8.1.2 Convergent validity ............................................................................ 684.8.1.3 Discriminant validity .......................................................................... 694.8.2 Assessment of structural model ............................................................... 704.8.2.1 Collinearity ......................................................................................... 704.8.2.2 Path coefficients ................................................................................. 704.8.2.3 Total effects ........................................................................................ 704.8.2.4 Coefficient of determination (R2) ....................................................... 714.8.2.5 Effect size (f2) ..................................................................................... 714.8.2.6 Predictive relevance (Q2) ................................................................... 714.8.2.7 Effect size (q2) .................................................................................... 72
4.9 Chapter overview ................................................................................................. 72
CHAPTER 5 DATA ANALYSIS AND RESULTS .......................................... 755.1 Introduction .......................................................................................................... 755.2 Descriptive statistics ............................................................................................. 75
vii
5.3 Research model evaluation .................................................................................. 79
5.3.1 Measurement model evaluation ............................................................... 795.3.1.1 Internal consistency ............................................................................ 795.3.1.2 Convergent validity ............................................................................ 805.3.1.3 Discriminant validity .......................................................................... 875.3.1.4 Construct descriptive information ...................................................... 925.3.2 Structural model evaluation ..................................................................... 935.3.2.1 Collinearity ......................................................................................... 945.3.2.2 Path coefficients ................................................................................. 945.3.2.3 Total effects ........................................................................................ 995.3.2.4 Coefficients of determination (R2) ................................................... 1005.3.2.5 Effect size (f2) ................................................................................... 1005.3.2.6 Predictive relevance (Q2) ................................................................. 1025.3.2.7 Predictive relevance effect size (q2) ................................................. 102
5.4 Chapter overview ............................................................................................... 103
CHAPTER 6 DISCUSSION ............................................................................. 1056.1 Introduction ........................................................................................................ 1056.2 Discussion of hypotheses ................................................................................... 105
6.2.1 Process-oriented organisational culture does not influence information
security culture ...................................................................................... 1066.2.2 Having an employee-oriented organisational culture has a positive
influence on information security culture ............................................. 1076.2.3 Having an open system organisational culture does not influence
information security culture .................................................................. 1086.2.4 Having a tightly controlled organisational culture does not influence
information security culture .................................................................. 1086.2.5 Senior management support has a positive influence on information
security culture ...................................................................................... 1096.2.6 Training & awareness campaigns has a positive influence on information
security culture ...................................................................................... 1096.2.7 Interpersonal trust has a positive influence on information security culture
............................................................................................................... 110
viii
6.2.8 Information security policy has a positive influence on information
security culture ...................................................................................... 110
6.2.9 An effective information security culture has a positive influence on
information security behaviour ............................................................. 111
6.3 Model discussion ................................................................................................ 1126.4 Discussion of the research questions .................................................................. 1146.5 Chapter overview ............................................................................................... 116
CHAPTER 7 CONCLUSION ........................................................................... 1177.1 Introduction ........................................................................................................ 1177.2 Summary of findings .......................................................................................... 1177.3 Implications for research .................................................................................... 1187.4 Implications for practice ..................................................................................... 1197.5 Limitations of the research ................................................................................. 1217.6 Recommendations for future research ................................................................ 122
APPENDIX A SUMMARY OF RESEARCH INVESTIGATING FACTORS
THAT INFLUENCE INFORMATION SECURITY
CULTURE .................................................................................. 125
APPENDIX B GOVERNMENT APPROVAL ................................................. 129
APPENDIX C HUMAN ETHICS APPROVAL .............................................. 131
APPENDIX D QUESTIONNAIRE .................................................................. 133
APPENDIX E INFORMATION LETTER ...................................................... 149
REFERENCES ....................................................................................................... 151
ix
List of Tables
Table 3-1 Constructs of interest ................................................................................. 38Table 3-2 Summary of hypotheses ............................................................................. 49Table 4-1 Demographic and background information questions ............................... 55Table 4-2 Information security related questions ....................................................... 56Table 4-3 Measurement items for organisational culture .......................................... 58Table 4-4 Measurement items for senior management support ................................. 60Table 4-5 Measurement items for training & awareness campaigns ......................... 61Table 4-6 Measurement items for interpersonal trust ................................................ 61Table 4-7 Measurement items for information security policy .................................. 62Table 4-8 Measurement items for information security culture ................................. 63Table 4-9 Measurement items for information security behaviour ............................ 64Table 5-1 Age distribution ......................................................................................... 76Table 5-2 Educational background ............................................................................ 77Table 5-3 Use of office computers ............................................................................. 78Table 5-4 Use of social networking sites for work .................................................... 78Table 5-5 Level of information security knowledge and skills .................................. 78Table 5-6 Initial CR and Cronbach’s alpha of the constructs .................................... 80Table 5-7 Initial outer loadings of the measurement items ........................................ 81Table 5-8 Final outer loadings for each construct ...................................................... 84Table 5-9 Construct AVE and final CR ..................................................................... 87Table 5-10 Measurement item cross loadings ............................................................ 89Table 5-11 Fornell-Larcker criterion for constructs ................................................... 90Table 5-12 HTMT ratio .............................................................................................. 91Table 5-13 Construct summary descriptive statistics ................................................. 92Table 5-14 Inner VIF values ...................................................................................... 94Table 5-15 Path coefficients ....................................................................................... 97Table 5-16 Summary of hypothesis testing ................................................................ 98Table 5-17 Total effects ............................................................................................. 99Table 5-18 Effect size (f2) ........................................................................................ 101Table 5-19 Predictive relevance (Q2) ....................................................................... 102Table 5-20 Predictive relevance effect size (q2) ...................................................... 103Table 6-1 Results of the hypothesis testing with relationship strength .................... 106Table 6-2 R2 values in information security studies ................................................ 113
xi
List of Figures
Figure 3-1 Proposed research model .......................................................................... 41Figure 4-1 Data analysis techniques .......................................................................... 67Figure 5-1 Final outer loadings .................................................................................. 86Figure 5-2 Final PLS path model ............................................................................... 96
xiii
Acknowledgements
I would like to thank GOD for blessing me with a good health and happy life. I would
like to acknowledge and thank people who have helped me in my doctoral study
journey.
Firstly, I would like to express my greatest gratitude and appreciation to my research
supervisors, Professor Tanya McGill and Dr. Michael Dixon (Mike), for their
continuous support, guidance, and understanding. Professor Tanya and Dr. Michael
have enormous research experience and immense knowledge on the research topic.
They provided me with insightful and relevant feedback and suggestions while writing
my thesis, which greatly helped me shape it. Their constant advice and mentoring also
helped me grow academically. I consider myself blessed to have them as my
supervisors, and I believe it is because of good karma that we crossed paths as a student
and supervisors. I could not have imagined completing this thesis without their support
and understanding. Thank you, Professor Tanya and Dr. Michael.
Secondly, I would like to thank Hon’ble Secretary Late Dasho Karma R. Penjor of
Ministry of Information and Communications, Royal Government of Bhutan, for
providing me government approval to conduct a research study in government
organisations in Bhutan, and Mr. Sonam Phuntsho who is the Head of the Telecom
Division in the Department of Information Technology and Telecom under the
Ministry of Information and Communications, Royal Government of Bhutan, for
helping me with the collection of research data. I also like to thank Dasho Phuntsho
Tobgay who is the current Hon’ble Secretary of Ministry of Information and
Communications for his continuous guidance and mentorship.
Thirdly, I would like to thank my wife Phuntsho Wangmo, my two beautiful daughters,
Lhatshog Bumden Dorlma and Dylane Jangsem Dorlma, and my parents and in-laws
for their continued support, understanding and love. I also like to thank my sister-in-
xiv
law Ms Kelzang Wangmo for her support and caring for my daughters during my
absence.
Lastly, I would also like to thank the staff members of Murdoch University for
supporting my research journey, particularly during the COVID-19 pandemic.
1
Chapter 1 Introduction
1.1 Background
Adoption of information technology has created massive opportunities for businesses
and organisations. For example, information assets are shared across boundaries in a
faster and more efficient manner using information technology and use of information
technology systems in organisations also helps resolve the requirement for large
physical spaces to store paper-based information in the form of files and documents.
However, the use of information technology systems can also make information
security breaches easier and, in some cases, not detectable (ACS, 2016). To ensure
that organisations survive in highly a competitive world it is important that they
safeguard their information assets from cybersecurity threats and information security
threats more generally.
Parsons et al. (2015) categorised information security threats into technical and
human-based threats. Schultz (2005) also indicated that information security is both a
‘people issue’ and a ‘technical issue’. Information security threats can arise from
human behaviour, and organisational and technological designs (Soomro, Shah, &
Ahmed, 2016). Addressing technical threats alone cannot mitigate information
security risks completely. In most organisations technical solutions already exist
(AlHogail, 2015b; Parsons et al., 2015), and therefore, to minimise information
security risks increased attention should be given to human-based threats.
In the information security chain, humans are considered the weakest link (da Veiga
& Eloff, 2010; Spitzner, 2018). Human-based errors or issues are considered to be the
major source of information security threats or risks to organisations (Glaspie &
Karwowski, 2018; Herath & Rao, 2009). Human-based information security threats
occur because of intentional, accidental and careless security behaviour of users,
employees and management. For example, an employee’s reaction to malicious or
phishing emails has implications for information security (Parsons, McCormac,
2
Pattinson, Butavicius, & Jerram, 2013). An employee may also intentionally give away
organisational information or misuse information security weakness for personal gains
(McCormac, Parsons, & Butavicius, 2012). However, most information security
breaches are caused by unawareness or naivety of employees (Parsons, McCormac,
Butavicius, Pattinson, & Jerram, 2014). These kinds of threats pose a greater risk than
outside threats (McCormac et al., 2012).
Information security behaviour refers to a set of activities that is to be followed to
maintain information security (Padayachee, 2012). Information security breaches
caused by human errors can be minimised by improving information security
behaviour (Nasir, Arshah, & Ab Hamid, 2019). One way that is believed to improve
security behaviour is to establish an effective information security culture (da Veiga
& Martins, 2017). An effective information security culture is a culture that promotes
good information security behaviour (Bozic, 2012). Information security culture has
been defined as a collection of perceptions, attitudes, values, assumptions, and
knowledge that help employees exhibit good information security behaviour
(AlHogail & Mirza, 2014b). The primary purpose of creating an effective information
security culture is to manage and reduce information security risks to information
assets to achieve the overall goals and objectives of the organisation (AlHogail &
Mirza, 2015).
To improve information security culture, it is important to determine the factors
influencing information security culture, and to understand the role of information
security culture in the information security behaviour of employees. The factors that
may influence information security include external environmental factors and internal
factors such as organisational factors, management factors, human factors, and factors
relating to mutual trust as identified by da Veiga, Astakhova, Botha, and Herselman
(2020) (see da Veiga et al. (2020) for a summary). The research described in this thesis
identifies key factors that help establish information security culture and explores how
information security culture influences information security behaviour. The focus of
this research is government organisations in Bhutan.
3
In this chapter an overview of the research problem addressed in this thesis is provided,
followed by a discussion of the research aim and research questions. After which the
significance of the study and the research approach are presented. Lastly, the
organisation of this thesis is presented.
1.2 Problem statement
Information is gathered, exchanged, and used by organisations to fulfil their goals and
objectives. Adoption of information technology systems to perform business functions
has made information vulnerable to threats and breaches. Large investments are made
by organisations to secure data and networks, and in cyber defence systems (Safa et
al., 2015). Despite this effort information security breaches are increasing as less
attention has been paid to information security culture and human behaviour than to
technical security solutions (Glaspie & Karwowski, 2018). The Office of the
Australian Information Commissioner reported that human actions accounted for 38%
(an increase of 4% from previous period) of the data breaches in all sectors in
Australian businesses in the period July to December, 2020, and human actions
accounted for the second largest source of data breaches in Australian businesses in
2020 (OAIC, 2021). To secure information assets from external and internal threats it
is critical to establish an effective information security culture and improve employee
information security behaviour. To do that more understanding of the factors that
influence information security culture and behaviour is needed.
There are wide range of factors that could potentially influence information security
culture and the security behaviour of employees (Furnell & Rajendran, 2012; Furnell
& Thomson, 2009; van Niekerk & von Solms, 2010), and having an effective
information security culture is believed to be associated with improved information
security behaviour of employees (Nasir, Arshah, & Ab Hamid, 2019). Some of the
most widely proposed factors believed to influence information security culture
include level of commitment of senior management to information security initiatives
(Alnatheer, Chan, & Nelson, 2012; Knapp, Marshall, Rainer, & Ford, 2006; Martins
& da Veiga, 2015; Masrek, Zaidi, & Harun, 2018; Nasir, Arshah, & Ab Hamid, 2019),
4
availability of information security policy (Martins & da Veiga, 2015; Masrek et al.,
2018), organisational culture (Wiley, McCormac, & Calic, 2020), levels of
information security education (Nasir, Arshah, & Ab Hamid, 2019), and availability
of training and awareness campaigns (Alnatheer et al., 2012; da Veiga, 2015b; Masrek
et al., 2018). However, there are no universally agreed factors (Tolah, Papadaki, &
Furnell, 2017) and factors identified by researchers differ from one study to another
(Lopes & Oliveira, 2014; Nasir, Arshah, & Ab Hamid, 2019). Therefore, there is a
need for further research to clarify what factors are most influential in establishing an
effective information security culture.
Most information security culture studies have been carried out in developed countries
where demographic, cultural and infrastructural settings are different than in
developing countries. Those that have been undertaken in developing countries include
the study by Masrek et al. (2018) which focused on Malaysian public sector
organisations to assess their information security culture, and the study by Alnatheer
(2012) which assessed information security culture in Saudi Arabian organisations.
More research is needed in developing countries to understand whether the findings
from studies in developed countries apply more broadly. Since the research described
in this thesis is undertaken in Bhutan (a developing country in South East Asia
(UNCTAD, 2020)) it will address this lack of understanding of the applicability of
findings across types of country. Therefore, it is important to undertake this research.
Information security research undertaken in Bhutan is very limited (Choejey, Murray,
& Fung, 2017). The existing literature relating to Bhutan attempts mostly to assess the
state of cybersecurity, with very little discussion of information security and
information security culture. Based on currently available government reports, news
articles and research papers, the information security maturity model in Bhutan may
be in the ‘initial compliance’ stage as proposed by Saleh (2011). Information security
policies and levels of employees’ information security awareness and knowledge may
not have been adequately addressed to protect information and information systems.
For example, the Bhutan ICM Act 2018 highlights data protection, information
privacy, and offences and penalties for failing to protect data and unlawful disclosure
of data or information (RGoB, 2018). However, most government organisations in
5
Bhutan lack appropriate information security guidelines and policies for their
employees to follow. The only available information security policy document is the
Information Management and Security Policy (IMSP) (Fung, Wong, Murray, Xie, &
Choejey, 2015), which was launched in April, 2009. In 2015, a study by Global Cyber
Security Capacity Centre found that this policy document was not fully implemented
nor adopted by government organisations in Bhutan (Roberts, 2015). A study by Fung
et al. (2015) also found that 41% of government employees were not at all aware of
this policy document, and in 2017 the same researchers found that there had been no
research undertaken to determine how successfully the policy was implemented in
government organisations (Choejey et al., 2017). Even senior management have not
given adequate levels of priority to providing resources for the adoption of information
security standards (Roberts, 2015). Further, government employees’ levels of
awareness and knowledge of information security risks and threats may also be low as
there is widespread use of pirated or cracked software in government organisations in
Bhutan (Seldon, 2018). The prevalence of these issues in government organisations in
Bhutan may be because there is a poor information security culture. Therefore, it is
important to undertake this research.
In Bhutan, the concept of tha dhamtshig is widely practised, literally translated as
‘boundary of the sacred oath’ (Kinga, 2001, p. 153). It refers to social values – promise
and duty of love, interpersonal trust, reciprocity, compassion, respect and loyalty to
one another. This concept in Bhutan is widely practised in three different ways - tha
dhamtshig between teacher and student, tha dhamtshig between parent and children,
and lastly tha dhamtshig between elder/leader and younger/subordinate (Dorji,
Jamtsho, Gyeltshen, & Dorji, 2013). This practice is not restricted to these three
relationships, but is extended to relatives, neighbours, friends, and community
members. This concept is built upon the idea of reciprocity (Kinga, 2001), widely
known in Bhutan as Drilin jelni (repaying kindness), and loteg Hingteg (trustable), and
these are exercised through pham phuencha (parents and relatives), ngen nghew (kith
and kin), and cham thuen (friends and relatives) (Dorji et al., 2013). Reciprocity is a
driver of cooperation and relationships based on obligation, interpersonal trust and
commitment. Most relationships in Bhutan are fostered based on the above-mentioned
social values. A survey found existence of high levels of interpersonal trust in Bhutan
6
(Dorji et al., 2013). Interpersonal trust in this study is defined as willingness of a person
to rely on another person or party in the belief that they will not disappoint them
intentionally.
Several authors proposes that trust may play an important role in the information
security of organisations (e.g. Astakhova, 2015; da Veiga et al., 2020; Safa, von Solms,
& Furnell, 2016), and Astakhova (2020) argues that mutual trust influences
information security culture. Therefore, it is important to understand whether the high
level of interpersonal trust in Bhutan plays a role in the information security culture of
its government organisations.
1.3 Research aim and questions
The aim of the research described in this thesis is to determine the factors that influence
the establishment of an effective information security culture, and to understand the
relationship between information security culture and information security behaviour
in government organisations in Bhutan. To address this research aim, two research
questions were proposed.
The first question is: RQ1 What factors influence the information security culture of
government organisations in Bhutan?
This research question aims to determine the factors that influence the establishment
of an effective information security culture in government organisations in Bhutan.
The factors investigated in this thesis are based on a comprehensive review of the
literature.
The second question is: RQ2 How does information security culture influence the
information security behaviour of government employees in Bhutan?
7
This question aims to understand the relationship between information security culture
and employee information security behaviour in government organisations in Bhutan.
Answering this question will help in understanding how an effective information
security culture can influence employee information security behaviour.
1.4 Significance of the study
There have been few information security research studies undertaken in developing
countries. The findings from this research study will add to the limited information
security culture literature for developing countries as this research is undertaken in
Bhutan, which is categorised as a developing country (UN, 2019). Since the factors
identified in the existing information security culture literature may not be easily
generalised to other countries with different cultural settings (Nasir, Arshah, & Ab
Hamid, 2019), this research will help identify critical factors that can improve
information security culture, and that are specifically relevant to the government
organisations in Bhutan.
The only existing information security related research studies undertaken in Bhutan
at the time of this research were focused on cybersecurity (Choejey et al., 2017). This
research study is the first of its kind that has been undertaken in Bhutan, and the
findings will serve as a foundation for future research in this field in Bhutan. This
research study will also help encourage other researchers to undertake future research
on this and related issues in developing countries.
There have been a very limited number of information security studies undertaken to
understand the role of interpersonal trust in information security culture. Most
previous trust related studies have focused on customer trust (e.g., Al-Khalaf & Choe,
2020; da Veiga & Eloff, 2010; Martins & da Veiga, 2015) and trust in information
technology (e.g., Lankton, McKnight, & Tripp, 2015; Mcknight, Carter, Thatcher, &
Clay, 2011; Meeßen, Thielsch, & Hertel, 2020; Vance, Elie-Dit-Cosaque, & Straub,
8
2008). The findings of this study will add to the existing literature and help further
understand the role of interpersonal trust in information security culture.
The findings should help management of organisations understand and prioritize key
factors influencing establishment of an effective information security culture. The
results should also help organisations while designing and developing information
security strategies and programs. Also, the study will provide a basis to improve the
information security culture in government organisations in Bhutan.
1.5 Research approach
To address the research aim and answer both the research questions, an information
security culture model was developed based on a review of the information security
literature. The literature review identified senior management support (Knapp et al.,
2006; Masrek et al., 2018), information security training and awareness campaigns (da
Veiga et al., 2020; Whitman & Mattord, 2016), information security policy (da Veiga
et al., 2020; Tolah et al., 2017), interpersonal trust (da Veiga et al., 2020; Dang-Pham
et al., 2017; Rajaonah, 2017), and several of Hofstede’s organisational culture
dimensions (Hofstede, Neuijen, Ohayv, & Sanders, 1990) as potential factors that may
influence establishment of an effective information security culture. The dimensions
that the literature suggests are most relevant to information security culture are
process- versus results-oriented organisational culture, employee- versus job-oriented
organisational culture, open versus closed organisational culture, and tightly versus
loosely controlled organisational culture (Tang, Li, & Zhang, 2016). Hofstede’s
organisational culture dimensions (Hofstede et al., 1990) have been widely used and
accepted in information security studies that conceptualise organisational culture (e.g.
Bös, Dauber, & Springnagel, 2011; Chang & Lin, 2007; Connolly, Lang, Gathegi, &
Tygar, 2016; Tang et al., 2016), and therefore are used in this research.
A quantitative research method was chosen for the research study to facilitate testing
of the hypotheses associated with the proposed model (Mehrad & Tahriri, 2019). An
9
online questionnaire was used for the data collection. This approach was chosen
because it would enable the soliciting of the perceptions of government employees in
their natural work setting and help in collecting data on information security
behaviours that are difficult to observe. The survey method was also appropriate
because it is relatively easy to administer (Shapiro, Bessette, Baumlin, Ragin, &
Richardson, 2004). The target population for the research study is civil servants in
Bhutan. The participants were recruited with the help of Bhutan’s Department of
Information Technology & Telecom, which sits under the Ministry of Information and
Communications.
The majority of the questionnaire items were adopted from the existing information
security research. The data collected was cleaned, screened and pre-analysed using
SPSS. The data was then analysed using the partial least squares structural equation
modelling (PLS-SEM) technique, using SmartPLS 3.0 (Ringle, Wende, & Becker,
2015).
1.6 Organisation of the thesis
This thesis is organised in seven chapters. Firstly, in Chapter 1, a general background
to the study is provided, followed by a discussion of the research problem. Then the
chapter presents the research aim and research questions, followed by a discussion of
the significance of the study and research approach used in it.
Chapter 2 begins with background information on Bhutan, where the research study
was conducted. It then introduces information security and the threats associated with
it. This is followed by a review of the literature on factors that potentially influence
information security culture. Lastly, the chapter provides a review of the information
security behaviour literature.
Chapter 3 describes the research model and hypotheses. In this chapter, the research
aim and questions are first discussed, and this is followed by description of the
10
constructs of interest. Then the development of research model is discussed and the
hypotheses and their justifications are provided.
Chapter 4 discusses the research methodology used in the study. In this chapter, firstly,
an overview of the research design is presented. This is followed by discussions of the
recruitment of the participants, questionnaire development, pre-testing of the
questionnaire and the data collection procedure. The data analysis techniques used to
assess the structural and measurement models are also described.
Chapter 5 presents the results of the study. Firstly, the chapter provides descriptive
statistics about the participants and their use of technology in the workplace. This is
followed by a complete report of the results of the measurement model and structural
model evaluations.
Chapter 6 provides a discussion of the results. The chapter begins with a discussion of
the hypothesis testing, and a discussion of research model is then provided. In the last
part of the chapter, progress towards answering the research questions is discussed.
Chapter 7 provides the conclusion to the thesis. It first provides a summary of the key
findings of the research and then discusses the research and practical implications of
these results. The chapter also highlights key limitations of the research and makes
recommendations for future research arising from this study.
11
Chapter 2 Literature Review
2.1 Introduction
The previous chapter provided a brief introduction to the research described in this
thesis, and presented the research aim and research questions. This chapter reviews the
literature relevant to both research questions that are addressed in the research
described in this thesis.
The chapter starts by providing background information on Bhutan, where the study
was conducted; this includes a description of the state of information communication
technology and e-Government (e-Gov) initiatives in Bhutan and the challenges
associated with these initiatives. This is followed by a review of definitions of
information security and a discussion of information security threats and strategies to
address these threats. Following this a review of the information security culture
literature is provided. This focusses primarily on potential factors influencing
information security culture. This provides a starting point to address RQ1. The
chapter also provides a brief review of the literature on the potential relationship
between information security culture and information security behaviour, which
provides a starting point to address RQ2.
2.2 Background information on Bhutan
Bhutan is a small country located between India and China. Bhutan has a land area of
38,394 square kilometres with 20 district headquarters which comprise of 205 local
government offices (NSB, 2020). The United Nations categorises Bhutan as a
developing country (UNCTAD, 2020), but its gross domestic product (GDP) has
grown significantly from Nu. 1.673 billion (in local currency) in 1980-1981 to Nu. 164
billion (approximately USD 2.4 billion) in 2017. In 2018, Bhutan's Human
12
Development Index (HDI) stood at 0.617 (UNDP, 2019). A higher HDI index,
measured on scale of 0-1, indicates a higher level of education, a higher life span, and
a higher gross national income per capita. Bhutan's economic growth is mainly
attributed to the electricity sector and the tourism sector.
As an alternative to GDP, Bhutan uses Gross National Happiness (GNH) to guide its
development. GNH is a developmental philosophy that is a holistic and sustainable
approach that seeks to achieve a harmonious balance between material well-being and
non-material values that are essential for happiness. GNH consists of four pillars
(sustainable and equitable socio-economic growth, good governance, environmental
conservation, and preservation and promotion of culture) and is measured using nine
domains (living standard, education, health, environment, community vitality, time-
use, psychological well-being, good governance, and cultural resilience and
promotion). The 2015 GNH survey conducted by CBS (2016) found that most of the
people in Bhutan were happy.
The population and housing census of Bhutan conducted in 2017 recorded a population
of 735,553 persons, of whom 681,720 are Bhutanese (NSB, 2017). The median age is
26.9 years, which indicates that half of the Bhutanese population is younger than 26.9
years (NSB, 2017). At the time of the census, 62.2 % lived in rural areas, and 37.8%
lived in urban areas. The general literacy rate of the Bhutanese is recorded was 71.4%
(NSB, 2017).
The working-age population was estimated at 481,821 in 2019 (NSB, 2019), and the
employment rate was 97.3% (97.8% male and 96.7% female). The number of civil
servants in Bhutan almost doubled from 19,848 in 2008 to 30,032 (26,852 were regular
employees and 4,180 were contract employees) as of 31st December 2019 (RCSC,
2019b), and they accounted for 6.4% of the working-age population.
13
2.2.1 State of information technology and e-Gov in Bhutan
The Internet was first introduced in Bhutan in 1999 with one licensed Internet service
provider (ISP). By 2020, eight licensed ISPs were operating in the country. As of
December 2019, there were 818,612 Internet subscribers (MoIC, 2019).
e-Gov involves delivering government services and information with the help of the
Internet and digital means (West, 2001). As a part of the e-Gov initiative, the
government started the establishment of a high-speed national broadband masterplan
project. Through this broadband masterplan project, the Bhutan government has
connected 201 local government offices (gewogs), and 20 district headquarters
(dzongkhags) to fibre network (DITT, 2020). Additionally, 759 government
organisations have been connected to this network, and 23 educational and health
institutions have also been linked to DrukREN (Druk Research and Education
Network) via this project (DITT, 2019). The government also implemented the Google
Suite Project in 2014 to help government employees communicate effectively and
securely.
The government has also automated about 174 Government-to-Citizen (G2C) and
Government-to-Business (G2B) services, and they are available online (GNHC, 2019).
Most of these e-services are hosted in the Government Data Centre (GDC) established
in Thimphu Technology Park. However, some government organisations still run their
e-services from local servers located in their premises.
In the cybersecurity domain, the Bhutan Computer Incident Response Team (BtCIRT)
was established in 2016 to help safeguard national information communication
technology assets. The team has also conducted a number of cybersecurity awareness
and training programs (DITT, 2019), scanned at least 93 government systems for bugs
(DITT, 2017), and resolved over 266 security incidents (DITT, 2019).
14
In terms of the regulatory framework, the 2006 Information Communication and
Media Act (ICM Act 2006) was expanded and revised in 2018 as the ICM Act 2018
(RGoB, 2018). In the new Act, new clauses or sections on data protection, information
privacy, and offences and penalties for failing to protect data and unlawful disclosure
of data or information were added. In addition to this act, the Bhutan Information
Communication Technology Policy and Strategy 2009, the Bhutan Information
Management Security Policy, the Bhutan Telecommunications and Broadband Policy
2014, the e-Gov Policy, the Rules on the Provision of Information Communications
Technology Facilities and Sharing, the Information Communications Technology
Infrastructure Sharing Rules, the Local Area Networking (LAN) rules, and the
Software Development Guidelines are now in place (DITT, 2017). Most of these
policies and regulations are telecommunication and infrastructure focused. For
example, neither the Bhutan Telecommunications and Broadband Policy (established
2014) nor the Bhutan Information Communication Technology Policy and Strategy
(2009) addresses information security concerns. A study by Fung et al. (2015) found
that the majority of the government employees were not aware of the Bhutan
Information Management Security Policy, and that other existing policies were
inadequate to address cybersecurity threats or risks. It also found that there were not
risk management processes in place to help identify information assets that need
protection, prioritisation, and evaluation to ensure adequate security controls.
2.2.2 Information communication technology and e-Gov challenges
in Bhutan
Bhutan's geo-political location, harsh mountain terrain, and sparsely scattered
population made it difficult to implement information communication technology
initiatives. Despite these challenges, the government's concerted efforts have enabled
substantial progress. For example, the Internet and television started in 1999. In two
decades, Bhutan has implemented high-speed broadband connectivity across the
country and 4G (or at least 3G) mobile Internet coverage in almost all the blocks
(gewogs), and the government services are mostly automated and provided online.
However, Bhutan, as a developing country also has its own set of challenges that
15
impede progress. These challenges include lack of information technology and
technical competency, lack of awareness and training, low levels of leadership support,
and lack of resources (DITT, 2019). These challenges, including low levels of
acceptance of technology programs by government employees, was also highlighted
in the revised Bhutan ICT Roadmap (IDA, 2015).
Rai and Kurnia (2017) explored factors affecting the growth of information technology
in Bhutan and reported that lack of opportunities for information technology
professionals to use their skill sets, lack of enabling environments to attract foreign
investments in information technology, lack of reliable infrastructure, and lack of
appropriate policies were important factors affecting the development of the
information technology industry in Bhutan.
Fung et al. (2015) surveyed information technology professionals in government
organisations in Bhutan and found that, 66% believed there was no cybersecurity
policy, 77% that there were no risk management plans, and 47% were not aware of
security standards and protocols. Also, 65% indicated that they do not have the
resources to handle security incidents, 68% were not trained in cybersecurity, and 91%
were victims of security incidents. These figures highlight the issues faced in
protecting Bhutan’s information assets. Based on these findings, Choejey, Murray, and
Fung (2016) identified awareness and training, policy and standards, adequate
financing as central to successful cybersecurity implementation in Bhutan. These
issues could be associated with poor information security culture in Bhutan, and
therefore, research on information security culture in Bhutan is needed.
2.3 Information security
A large amount of information is generated because of increasing technological
innovation and development, which is fuelled by the evolution of the Internet of
Things. Information that is being created is of importance to individuals and
16
businesses. This information is considered an important asset at the individual,
organisational, and national levels (Adbullahi, Igbinovia, & Solanke 2015).
Information security consists of three key elements: confidentiality, integrity, and
availability (Anderson, 2003; CNSS, 2015; Samonas & Coss, 2014). Protecting these
three key elements from external and internal threats is of vital importance and can be
a challenge to organisations. Implementation of proper information security
management, standards, and strategies is considered one of the ways to safeguard
information security. In this section, firstly, definitions of information security are
provided, and then information security threats and strategies are discussed.
2.3.1 How is information security defined?
Information security is protection of confidentiality, integrity, and availability of
information assets. The Committee on National Security Systems (CNSS, 2015, p. 63)
defined information security as "the protection of information and information systems
from unauthorized access, use, disclosure, disruption, modification, or destruction in
order to provide confidentiality, integrity, and availability." Cisco (2019) similarly
defines information security as the processes and tools that are designed and deployed
to safeguard the reliability, authenticity, and availability of information.
In the information security literature, the term information systems security and
information security are both used. Information systems security refers to the
protection of all elements (hardware, software, information, people, and processes) of
information security (Kokolakis, Karyda, & Kiountouzis, 2005). National Security
Agency Central Security Service has defined information systems security as "the
protection of information systems against unauthorized access to or modification of
information, whether in storage, processing or transit and against the denial of service
to authorized users or the provision of service to unauthorized users, including those
measures necessary to detect, document, and counter such threats." (CNSS, 2015, p.
66). Based on these definitions, information security can be referred to as protection
17
of information confidentiality, integrity, and availability supported by the elements
(hardware, software, information, people, and processes) of information systems
security.
2.3.2 Information security threats and strategies
Implementation of technology in businesses has exposed business information to
various types of internal and external threats. Almost all businesses face information
security risks irrespective of their information maturity level. The information assets
of most of organisations in the UK have been either breached or attacked (Vaidya,
2018). Therefore, fostering an appropriate level of information security maturity may
help to achieve information security objectives such as confidentiality, integrity, and
availability. Saleh (2011) proposed five information security maturity levels based on
information security compliance (none, initial, basic, acceptable, and full).
Organisations with full compliance information security maturity levels are less
vulnerable when compared to organisations with lower levels of information maturity.
A study by EY (2019) identified that the most common information security threats
are caused by email phishing, malware, cyberattacks (disruption), theft, spam, and
internal threats. Similarly, the Australian Cyber Security Centre (ACSC, 2016) found
that malware, email phishing, social engineering, and denial of service are the most
reported information security incidents. These types of information security threats are
major causes of financial losses and damage to critical information and information
systems resources (EY, 2019; Ponemon, 2020; Rabai, Aissa, & Mili, 2012; Rabai,
Jouini, Aissa, & Mili, 2013). These types of security threats may often go unnoticed
by senior management (Geric & Hutinski, 2007) because they may have a low level
of information security understanding. EY (2019) found that only 39% of senior
managers have an understanding of information security.
Many studies have focused on technological vulnerabilities and countermeasures to
information security (e.g., Anita, Kavita, & Kirandeep, 2013; Choi, Robles, Hong, &
18
Kim, 2008; Goel & Mehtre, 2015; Nagamalai, Dhinakaran, Sasikala, Lee, & Lee,
2005). Just focusing on technical aspects may not address information security
breaches caused by human actions (Safianu, Twun, & Hayfron-Acquah, 2016). Human
actions are believed to be the weakest link in the information security chain (da Veiga
& Eloff, 2010) and are considered a major source of information security
incidents/breaches in organisations (Ponemon, 2019). Information security breaches
caused by human actions can be classified as malicious or non-malicious threats. Non-
malicious breaches occur as a result of employees’ unawareness and accidental actions
or errors, whereas malicious breaches are caused intentionally by humans. A study by
Safianu et al. (2016) revealed that non-malicious security breaches were often caused
by the use of unauthorized applications, leaving computers unattended, and not
adhering to information security protocols and policies. This study also found that
employees who are unhappy with their job and managers are more likely to cause
malicious security breaches.
Information security threats are also classified as internal or insider and external or
outsider threats. The internal threats are caused by the actions of employees or failures
of organisational processes. In contrast, external threats can be caused by natural
disasters, physical intrusion, and attacks occurring through wired or wireless networks.
Internal threats are usually controlled and minimised at the organisational level, but
the threats caused by external forces can be difficult to control (Jouini, Rabai, & Aissa,
2014). For example, the information security threats from natural disasters such as
earthquakes cannot be controlled, but the impact can be minimised.
Researchers have suggested various measures to control and minimise information
security breaches or threats at the organisation level. For example, Safianu et al. (2016)
suggested adopting a holistic information security management framework with
human factors as an essential component. They have provided recommendations to
formulate appropriate information security policy and to create information security
awareness for users. Kumar (2016) recommended that having an effective information
security policy will help mitigate information security threats and risks and noted that
for effective information security policy, there should be appropriate support from
19
senior management, user training and awareness should be provided, and policy should
be enforced appropriately.
The International Organisation for Standardization (ISO) and International
Electrotechnical Commission (IEC) standards provide a set of recommendations in the
form of standards for information security management. For example, ISO 27000 is a
series of standards focusing on information security matters. One of the standards
under the ISO 27000 family is ISO 27005:2018, which focuses on risk management
through the implementation of controls on a wide range of threats (ISO/IEC, 2018).
The level of adoption or usage of these ISO standards in organisations has been low
(Al-Ahmad & Mohammad, 2012), but is rising (ISO/IEC, 2020). Adoption issues may
occur as the standards generally do not fit well with organisational structure and
purpose, and do not address all organisational information security objectives (Barlette
& Fomin, 2010). Also, the adoption of these standards in organisations has been found
to be very costly and time-consuming (Gillies, 2011).
2.4 Information security culture
Schein (2010, p. 17) defines culture as “a pattern of shared basic assumptions that was
learned by a group as it solved its problems of external adaptation and internal
integration, that has worked well enough to be considered valid and, therefore, to be
taught to new members as the correct way to perceive, think, and feel in relation to
those problems”. Culture is a both “here and now” dynamic experience, and a coercive
background structure that inspires us to react in multiple ways (Schein, 2010). Culture
consists of social norms, values, customs, traditions, and beliefs, which are shaped by
human behaviours, social learning and the rule of law. Culture is taught to the wider
group or society as a way of life. The basic components of culture are also components
of organisational (Schein, 1992) and information security culture (da Veiga et al.,
2020).
20
In this section, some of the most commonly discussed information security culture
definitions in the information security literature are presented to provide a clear
understanding of what the term ‘information security culture’ means in the context of
this research.
Human elements are considered the weakest link in the information security domain
(da Veiga & Eloff, 2010). Using technical measures to safeguard information from
information security threats and risks may not be adequate, as human error or
negligence causes different types of information breaches in organisations (Appari &
Johnson, 2010; Parsons et al., 2014). To lower the risk of information security breaches
or threats caused by employees, organisations attempt to create a good information
security culture. Having an effective information security culture may help reduce
risky information security behaviour and help minimise unnecessary or non-work
access to organisational information assets (Mahfuth, Yussof, Baker, & Ali, 2017; van
Niekerk & von Solms, 2010), and establishing a positive information security culture
has been recommended to minimise and manage information security risks and to
protect the organisational information assets of organisations (e.g., AlHogail, 2015b;
Astakhova, 2015).
Information security culture has been a topic of research for many information security
researchers (e.g., da Veiga & Eloff, 2010; Nasir, Arshah, & Ab Hamid, 2019), and
they have defined information security culture in different ways. A review of
information security definitions from 2003 to 2016 by Mahfuth et al. (2017) found that
there is no mutually agreed definition. The following paragraphs discuss the most
commonly used information security culture definitions in the information security
literature.
Martins and Eloff (2002) explained information security culture in relation to
information security behaviour, and defined information security culture as the
assumptions about what kind of information security behaviours are acceptable and
encouraged that become a natural way of doing things to help protect organisational
information assets. Similarly, Dhillon (2007) includes behaviour in his definition,
21
considering information security culture to be the collection of human attributes such
as behaviours, attitudes, and values that contribute to the protection of all the kinds of
information in a given organisation. Malcolmson (2009, p. 361) also includes
behaviour in his conception of information security culture and defines it as “the
assumptions, values, attitudes, and beliefs held by employees of an organisation and
behaviour they perform, which could potentially impact the security of that
organisation, and that may or may not have an explicit known link to the impact”.
Some authors, however, define information security culture as influencing security
behaviour rather than including it. For example, AlHogail and Mirza (2014b) defined
information security culture as the collection of employees' perceptions, attitudes,
assumptions, values, and knowledge that help employees to be consistent with
organisational information security requirements with the aim of influencing
information security compliance behaviour and to protect information security assets.
Similarly, da Veiga, Martins, and Eloff (2007) defined information security culture as
the information security perceptions, attitudes, and assumptions that are accepted,
adopted, and encouraged in an organisation to protect information assets. In a later
paper, da Veiga and Eloff (2010, p. 198) defined information security culture as "the
attitudes, assumptions, beliefs, values, and knowledge that employees/stakeholders
use to interact with the organisation's systems and procedures at any point in time. The
interaction results in acceptable or unacceptable behaviour (i.e., incidents) evident in
artefacts and creations that become part of the way things are done in an organisation
to protect its information assets".
A very broad comprehensive definition of information security culture has recently
been provided by da Veiga et al. (2020, p. 19). They explain it as “Information security
culture is contextualised to the behaviour of humans in an organisational context to
protect information processed by the organisation through compliance with the
information security policy and procedures and an understanding of how to implement
requirements in a cautious and attentive manner as embedded through regular
communication, awareness, training and education initiatives. The behaviour over
time becomes part of the way things are done, i.e., second nature, as a result of
22
employee assumptions, values and beliefs, their knowledge of, attitude towards and
perception of the protection of information assets.”
In this thesis, information security culture is defined as the information security
attitudes, assumptions, beliefs, values, and knowledge that are used while interacting
with organisational information assets and systems, which may change employees’
information security behaviour.
2.5 Factors influencing information security culture
This section discusses the factors that could potentially influence the establishment of
an effective information security culture. The potential factors discussed in this section
were identified from an analysis of the information security culture literature. See
Appendix A for a summary of key findings from studies that have investigated factors
that potentially influence information security culture.
The review of information security literature found that various types of factors have
been proposed to influence the establishment of information security culture. For
example, da Veiga and Martins (2017) categorised factors as internal and external.
External factors are environmental factors or external to the organisation, whereas
internal factors are intra-organisational or internal to the organisation. However, there
is no strong consensus on what factors are most important in determining information
security culture, with the factors studied varying from one study to another (Lopes &
Oliveira, 2014; Nasir, Arshah, & Ab Hamid, 2019). Based on a systematic literature
review of information security culture research, Nasir, Arshah, Ab Hamid, and Fahmy
(2019) reported a lack of uniformity in what factors researchers investigate in studies
on information security culture. This may be because the researchers used different
concepts of information security culture. Therefore, organisation are often
recommended to determine which factors are relevant to their own organisation to
develop an effective information security culture (da Veiga et al., 2020).
23
2.5.1 Senior management support
Senior management or leadership is about achieving a common goal (Northouse,
2010). Senior management is responsible for all business affairs this includes
information security. In the information security domain, senior management support
is one of the critical elements that influence the security of information assets
(Bulgurcu, Cavusoglu, & Benbasat, 2010; Kayworth & Whitten, 2010; Paliszkiewicz,
2019). Without senior management support, implementing and managing information
security programs is likely to be difficult.
Senior management support has been posited to influence information security
perceptions, beliefs, and attitudes (Hu, Hart, & Cooke, 2006). This contention is
supported by Cuganesan, Steele, and Hart (2018) in their study on the influence of
senior management and workplace norms on information security attitudes and self-
efficacy. The study found that senior management support directly influences
information security attitudes of employees, even in large organisations. Safa and von
Solms (2016) found that senior management support can also affect the compliance
behaviour of the employees by facilitating training, knowledge sharing, and security
collaboration.
A systematic literature analysis by Hassan, Ismail, and Maarop (2015) found senior
management support to be a critical factor affecting the establishment of information
security culture, and da Veiga and Eloff (2010) included leadership and governance as
a dimension in their Information Security Culture Framework (ISCF). Similarly,
Alnatheer et al. (2012) undertook a study to measure and understand information
security culture and found top management support to be one of three factors
influencing information security culture. Knapp et al. (2006) also found that senior
management positively influences the development of information security culture and
enforcement of policy in organisations.
Masrek et al. (2018) categorised senior management support into information security
commitment (the degree to which senior management involve and support information
24
security initiatives) and information security importance (the degree to which senior
management gives preference to information security programs). Their study on
assessing information security culture in government organisations in Malaysia found
that senior management support is important in developing an effective information
security culture. Consistent with Knapp et al. (2006), the researchers emphasise that
senior management must be involved in information security decisions, investment
and actions (Masrek et al., 2018). Greene and D’Arcy (2010) empirically examined
the influence of security-related and employee-organisation relationship factors on
users’ information security compliance. The study established that senior management
support enables the establishment of an effective information security culture.
2.5.2 Training & awareness campaigns
The ISO/IEC 27002/2013 (ISO/IEC, 2013) standards state that providing appropriate
information security training, education and awareness to employees is important for
information security, this is because employees are considered to be the weakest link
in the information security chain (Parsons et al., 2014; van Niekerk & von Solms,
2005). Human-based actions such as employee negligence or lack of knowledge and
skills rather than malicious intent (Ponemon, 2019, 2020), and non-compliance
behaviour (Parsons et al., 2014) are major causes of information security breaches. For
example, since 2018 the number of cybersecurity incidents or breaches caused by
insider threats has increased by 47%, and the cost to address these security incidents
has increased by 31% (Ponemon, 2020). Therefore, providing information security
training and awareness to employees should help equip them with necessary
information security skills and knowledge, and therefore, improve information
security compliance behaviour (Siponen, Adam Mahmood, & Pahnila, 2014).
The role of information security training and awareness in establishing an effective
information security culture has been widely discussed (e.g., da Veiga, 2015b, 2016;
Martins & Eloff, 2002; Pierce, 2012; Whitman & Mattord, 2016). For example, da
Veiga (2015b) conducted assessments to compare the information security culture of
organisations with and without prior information security training and awareness
25
initiatives. The study found that organisations that implement these have a stronger
information security culture than organisations that do not. In the same year Da Veiga
and Martins (2015) conducted a study to improve information security culture in
international financial institutions through monitoring and implementation of
information security training and awareness campaigns. The study found that
information security training and awareness is a significant factor contributing to an
effective information security culture. Similarly, Alnatheer et al. (2012) found that
increasing the frequency of information security training and awareness initiatives
helps to develop an effective information security culture.
da Veiga et al. (2020) surveyed 512 respondents from mainly South African
organisations to determine key factors that contribute to establishing an effective
information security culture. Information security education, training and awareness
was found to be an important factor necessary to establish an effective information
security culture. Likewise, Pierce (2012) undertook a study to determine the factors
contributing to the integration, implementation and maintenance of a successful
information security culture and found that of the factors considered in the study
information security training and awareness was the most significant contributor to
information security culture. In a study of Malaysian higher education institutions,
Nasir, Arshah, Ab Hamid, et al. (2019) also found security education, training and
awareness to be an important determinant of information security culture; however,
information security knowledge was a stronger determinant of information security
culture in their study.
2.5.3 Interpersonal trust
Interpersonal trust is the willingness of a person to rely on another person or party in
the belief that they will not disappoint them intentionally (Deutsch, 1958).
Interpersonal trust is a personality trait that reflects the general expectations of the
trustworthiness of others (Rotter, 1967). In this study, the definition provided by
Deutsch (1958) is used.
26
Interpersonal trust has been found to have a positive effect on how people live in an
unsafe and uncertain environment (Liang, Laosethakul, Lloyd, & Xue, 2005; Mayer,
Davis, & Schoorman, 1995; Ridings, Gefen, & Arinze, 2002); and on making better
decisions and increasing confidence (Lewis & Weigert, 1985). Interpersonal trust
enables people to decrease complexity and uncertainty in their life because they
believe that others will behave as expected (Hummels & Roosendaal, 2001).
Therefore, interpersonal trust may help overcome uncertainty in the information
security domain.
People with a high level of interpersonal trust relationship communicate frequently
(Anderson & Narus, 1990). Koskosas, Kakoulidis, and Siomos (2011) report that
higher levels of interpersonal trust lead to positive outcomes in terms of performance.
For example, increased interpersonal trust leads to higher levels of knowledge sharing
(Hsu & Chang, 2014; Renzl, 2008) and higher levels of knowledge sharing in
organisations may lead to benefits in the context of information security.
Williams (2009) stated that trust is an important contributor to information security,
yet there have been a limited number of studies undertaken to study the relationship
between information security and trust. Koohang, Nowak, Paliszkiewicz, and Nord
(2020) conducted a study in relation to trust in information security policy. The study
found that the employees’ trusting beliefs (i.e., competence, integrity and
benevolence) predict information security policy compliance. Tamjidyamcholo, Baba,
Tamjid, and Gholipour (2013) studied the role of three aspects of trust in information
security knowledge sharing. They surveyed information security professionals
belonging to a virtual community and found that trust in the people in the community,
trust in the information security knowledge that was shared, and trust in the security
of the virtual community all contributed to overall trust, which positively influenced
intention to share security knowledge. Trust was also found to influence attitude to
knowledge sharing.
Rajaonah (2017) stated that interpersonal trust is important for the protection of vital
organisational information systems, and Paliszkiewicz (2019) found that trust is
27
associated with leadership in information security policy compliance. Safa and von
Solms (2016) also found that interpersonal trust positively influences information
security knowledge sharing behaviour. In a study on the role of interpersonal influence
on information security behaviour in the workplace, Dang-Pham et al. (2017) found
that employees who are trusted positively influence the security behaviour of others,
thus highlighting the importance of interpersonal trust in the security context.
Therefore, interpersonal trust could potentially influence information security culture
by improving sharing of knowledge about security and improving security decisions,
and hence reducing/mitigating information security risks and issues.
Several authors have also argued that interpersonal trust is important in creating an
ideal information security culture. Ruighaver, Maynard, and Chang (2007) suggest that
trust helps nurture a good attitude towards information security, which is important in
an effective information security culture, and both Astakhova (2020), da Veiga et al.
(2020) and da Veiga and Eloff (2010) propose that it influences information security
culture. Further research is needed to understand this relationship.
2.5.4 Information security policy
An information security policy is a statement of intentions and directions from
management to employees to prevent or mitigate risks or threats to information
confidentiality, integrity, and availability (Wood, 1995). Lack of information security
policy in an organisation indicates that there is no proper information security
guidance, suggesting a low level of senior management commitment to information
security (Knapp, Morris Jr, Marshall, & Byrd, 2009). Martins and Eloff (2002)
recommended that at the organisational level information security policy needs to be
reviewed on a regular basis to ensure it meets information security needs and
incorporated into the working environment so that it becomes a part of everyday
activities for the employees. Information security policy helps employees understand
the acceptable level of information security behaviour needed to ensure information is
secured (Höne & Eloff, 2002; Whitman & Mattord, 2012).
28
In a review of factors contributing to information security culture by Tolah et al. (2017)
information security policy was identified as a commonly cited factor contributing to
an effective information security culture. For example, da Veiga et al. (2020)
investigated the factors require to instil the ideal information security culture by
surveying 512 industry participants from international organisations. Information
security policy was repeatedly mentioned as one of the important factors in creating
an effective information security culture. AlHogail (2015a) developed a framework
for creating effective information security, and the framework has regulations, which
flow from information security policy, as an important contributor to information
security culture.
da Veiga (2015a, 2016) conducted an empirical study across 12 countries over eight
years to determine the influence of information security policy on information security
culture by comparing organisations with security policy and those without.
Information security culture was found to have improved significantly over time in
those organisations where there was information security policy and employees
engaged with it. The finding was supported by da Veiga and Martins (2017) in a study
conducted to investigate how information security culture is developed over time
through targeted interventions.
Some information security studies that have investigated the influence of information
security policy on information security culture have proposed and/or tested
information security culture models or frameworks showing information security
policy as one of the contributors to establish an effective information security culture.
For example, Sherif, Furnell, and Clarke (2015b) proposed information security policy
as one of the five factors that could influence information security culture. Martins and
da Veiga (2015) tested an information security culture model that represents the
influence of four factors on information security culture (policies, management,
awareness, and compliance). The study found that information security policy
contributed to establishing an effective information security culture.
29
2.5.5 Organisational culture
Hofstede (1998b) defined organisational culture as a manifestation of practices or
behaviours evolving from the shared values of the organisation. Organisation culture
has been proposed as important in information security. For example, Chang and Lin
(2007) examined the influence of organisational culture on the effectiveness of
implementing information security management (confidentiality, integrity,
availability, and accountability). The study concluded that there are significant
relationships between organisational culture and information confidentiality, integrity,
availability and accountability.
There have also been a number of studies undertaken to determine how organisational
culture and information security culture are related. A framework developed by Lim,
Chang, Maynard, and Ahmad (2009) present three types of potential relationship
between organisational culture and information security culture based on analysis of
the previous literature. The relationships are categorised as high (where information
security culture is embedded into organisational culture), moderate (where information
security culture is a subculture of organisational culture) and low (where information
security culture is separate from organisational culture). In a later study the same
researchers (Lim, Ahmad, Chang, & Maynard, 2010) conducted a case study based on
their framework. The case study highlighted that the roles of senior management, the
delineation of responsibilities, the enforcement of processes, the provision of training,
and allocation of budget to security programs are ways of expressing that information
security culture is embedded into organisational culture. They also suggested that
organisations should aim to embed information security culture into organisational
culture to influence employee information security behaviour.
Some researchers (Nasir, Arshah, Ab Hamid, et al., 2019; Schlienger & Teufel, 2002;
van Niekerk & von Solms, 2005) have viewed information security culture as a sub-
set or part of organisational culture. Consistent with this perspective, authors such as
Andress and Fonseca (2000), Dhillon (1997) and von Solms (2000) recommend that
30
information security culture and organisational culture are investigated together in
order to understand how to cultivate effective information security behaviour.
Researchers such as Chia, Maynard, and Ruighaver (2002) and Knapp, Marshall,
Rainer, and Morrow (2004) have viewed information security culture and
organisational culture as separate. Although Tang et al. (2016) proposed a model to
understand the influence of organisational culture on information security culture,
there have been few studies undertaken to determine the relationship between
organisational culture and information security culture. In one of these, Wiley et al.
(2020) surveyed working Australians to explore the relationship between
organisational culture and information security culture. A strong positive relationship
was found between organisational culture and information security culture. This
indicates that when organisational culture improves so does information security
culture and this helps to mitigate and reduce information security threats or risks.
However, the types of organisational culture that organisations practice may determine
how well information security threats or risks are mitigated or reduced (Tang et al.,
2016).
Tang et al. (2016) suggested using dimensions of organisational culture to explain
potential associations between organisational culture and information security culture.
Their model uses Hofstede’s six dimensions of organisational culture (Hofstede et al.,
1990) and proposes causal relationships between the six dimensions of organisational
culture (process- versus results-oriented, employee- versus job-oriented, open versus
closed system, tightly versus loosely controlled, parochial versus professional and
normative versus pragmatic) and four aspects of information security culture
(compliance, communication, accountability and governance). Hofstede (1998)
defines process- versus results-oriented organisational culture in terms of risk-taking
traits and efforts put in by employees. Employee-oriented organisational culture is
defined as a culture where organisations support employees’ welfare and address their
concerns, and job-oriented organisational culture is a culture where organisations are
more focused on accomplishing work or achieving tasks. Open versus closed system
organisational culture focuses on organisational openness or resistance to new
31
employees and new innovative ideas. Tightly versus loosely controlled organisational
culture refers to how strictly or loosely organisational rules, policies and structure are
followed. Parochial versus professional organisational culture refers to the way the
members of organisations identify themselves. Lastly, normative versus pragmatic
organisational culture refers to how organisations deal with customers.
In a process-oriented organisation, the employees may have conservative attitudes
towards innovation and risk taking and are believed to follow existing methods, policy
and procedures, whereas in a results-oriented organisation, the employees are
relatively open to new ideas and innovation and are believed to exhibit higher levels
of risk taking behaviour in order to deliver work results or output (Tang et al., 2016).
In the context of information security, employees in process-oriented organisations
may have a higher degree of intention to comply to information security policy when
compared to results-oriented organisations (Tang et al., 2016).
In employee-oriented organisations, employees’ welfare is emphasised (Cadden,
Marshall, & Cao, 2013), whereas, in job-oriented organisations, employees need to
take more responsibility for their own personal welfare (Tang et al., 2016). In the
information security context, a study by Connolly et al. (2016) found that employees
in an employee-oriented organisation had higher levels of motivation to comply to
information security requirements. The study also found that a job-oriented
organisational culture has a negative impact upon the information security behaviour
of the employees.
In an open system organisation, the employees have higher levels of information
sharing, and new employees are welcomed and are more rapidly integrated into the
organisation (Bös et al., 2011). Al Mehairi (2013) also found that having an open
system organisational culture has a positive impact on knowledge sharing. Whereas,
in a closed system organisation, new employees may need longer to be accepted
(Hofstede, 1998) and existing employees may resist new changes and information may
not be so freely exchanged (Beshay & Sixsmith, 2008). Thus, in the context of
information security, implementing information security requirements in a closed
32
system organisation may be more difficult than in an open system organisation (Tang
et al., 2016).
In tightly controlled organisations employees are more likely to strictly adhere to
information security policy requirements (Tang et al., 2016). Similarly, Chang and Lin
(2007) propose that organisations with a culture that is highly regulated have a higher
degree of information confidentiality, integrity, and availability. Whereas, in loosely
controlled organisation, the rules and policies are less strictly observed, and employees
in this type of organisation may, therefore, be less compliant with information security
requirements, such as information security standards, policies, and protocols.
Employees in parochial organisations derive their identity from the organisation they
work for, and in professional organisations employees are more likely to identify with
their profession (Hofstede, 1998). In a parochial organisational culture employees
believe that hiring of new employees should be based on their social and family
background along with their knowledge and skills, and in professional organisational
culture, employment is more focussed on capabilities (Tang et al., 2016). Tang et al.
(2016) proposed that parochial versus professional organisational culture may
influence different aspects of information security culture such that employees in
parochial organisations are more likely to comply with information security policies
and employees in professional organisations are more likely to place importance on
information security.
Normative versus pragmatic organisational culture deals with the notion of customer
orientation (Hofstede, 1991). This type of organisational culture captures whether
customers are dealt with in a more flexible or rigid way. In the context of information
security, Tang et al. (2016) argued that in normative organisations, policies and rules
are more likely to be adhered to, with employees more likely to be held responsible
for not adhering to rules while fulfilling customers’ needs. They proposed that this
type organisational may influence information security culture.
33
However, the model proposed by Tang et al. (2016) has not been tested. Also, there
has been very little research undertaken to determine the relationships between
Hofstede’s dimensions of organisational culture and information security culture.
2.5.6 Other factors
The information security literature also discusses the potential influence of other
factors on the establishment of an effective information security culture. These other
factors include national culture (da Veiga et al., 2020; Govender, Kritzinger, & Loock,
2016; Sherif et al., 2015b) and change management (da Veiga et al., 2020; Hassan &
Ismail, 2012). da Veiga et al. (2020) also provides a comprehensive list of factors
proposed to influence information security culture based on a systematic literature
review.
In a conceptual framework proposed by Sherif et al. (2015b) national culture was
proposed as a factor influencing information security culture. Similarly, in a recent
study by da Veiga et al. (2020) national culture is also highlighted as one of the
potential factors influencing information security culture. Flores, Antonsen, and
Ekstedt (2014) concluded that national culture has a moderating effect on other factors
that influence the establishment of an effective information security culture. For
example, national attitude towards risk has been found to affect fostering of an
effective information security culture in small and medium size businesses in Australia
(Dojkovski, Lichtenstein, & Warren, 2007).
da Veiga et al. (2020) proposed change management as another factors that can
influence information security culture. Hassan and Ismail (2012) also included change
management in their comprehensive conceptual model of factors influencing
information security culture in healthcare environments. This was supported by
Alhogail and Mirza (2014a) in a study conducted to integrate various change
management principles to support and guide organisations to positive information
security culture.
34
2.6 Information security behaviour
Human-based actions are considered the weakest link in information security (da
Veiga & Eloff, 2010) because most information security breaches and risks are caused
by human actions rather than physical failures (Appari & Johnson, 2010; Narayana
Samy, Ahmad, & Ismail, 2010; Parsons et al., 2014). In the context of information
security, human-based actions are employee behaviours that impact the security of
information assets (Al-Omari, El-Gayar, & Deokar, 2012). Therefore,cultivating good
information security behaviour is important to mitigate information security breaches
and risks caused by these actions (Nasir, Arshah, & Ab Hamid, 2019). Alfawaz,
Nelson, and Mohannak (2010) studied users’ security behaviour and suggested
improving information security culture to achieve information security gains.
Dojkovski, Lichtenstein, and Warren (2010) also suggested that an effective
information security culture may resolve information security behavioural issues
which cause information security risks and threats. Therefore, having an effective
information security culture is believed to be associated with information security
behaviour.
Some researchers suggest information security culture as a determinant of information
security behaviour (e.g. AlKalbani, Deng, & Kam, 2015; D'Arcy & Greene, 2014;
D’Arcy & Greene, 2009; Parsons et al., 2015). On the other hand, several researchers
have suggested that good information security behaviour helps in establishing an
effective information security culture (e.g. Amankwa, Loock, & Kritzinger, 2018;
Hassan, Maarop, Ismail, & Abidin, 2017; Sherif et al., 2015b).
Parsons et al. (2015) surveyed 500 Australian employees to determine the relationship
between aspects of information security decision making that included self-reported
behaviour and information security culture. The study revealed a positive relationship
between information security decision making and information security culture and
recommended that organisations develop an effective information security culture to
cultivate compliance with information security policy. Similarly, AlKalbani et al.
(2015) developed and tested an information security compliance model to examine
35
how information security culture influences information security compliance
behaviour in government organisations in Oman. The results showed that information
security culture has a positive influence on information security compliance behaviour.
D’Arcy and Greene (2009) investigated two types of security behaviour: security
compliance and security extra role behaviour (also known as proactive security
behaviour). The study provided a strong empirical evidence that information security
culture contributes to users’ compliance behaviour, the results also suggested a strong
relationship between security extra role behaviour. In a later study, D'Arcy and Greene
(2014) further examined the nature of information security culture and studied its
influence on employee compliance behaviour, and again confirmed that information
security culture positively influenced employee compliance behaviour.
Sherif, Furnell, and Clarke (2015a) argued that organisations consider information
security behaviour when trying to cultivate an effective information security culture.
However, there has been little research that has explicitly examined how information
security behaviour impacts on information security culture. In a qualitative study in
Malaysian healthcare organisations, Hassan et al. (2017) found that information
security behaviour is one of the factors contributing to information security culture. In
a study on compliance behavioural intention undertaken in a wide range of Ghanaian
companies, Amankwa et al. (2018) found that behavioural intention has a significant
positive influence on information security policy compliance culture. Further
longitudinal research is required to understand how information security culture and
behaviour influence one another over time.
2.7 Chapter overview
A brief description on the state of information technology and e-Gov initiatives in
Bhutan is provided in this chapter. This includes establishment of a high-speed
broadband masterplan, connecting all government offices across all regions into a
secured wide area network, and automation of G2C and G2B services in Bhutan. Lack
36
of skilled workforce, lack of leadership support, lack of resources, and lack of
appropriate information security policies were highlighted as key challenges impeding
development of information technology and e-Gov initiatives in Bhutan. The chapter
also briefly discussed cybersecurity initiatives undertaken in Bhutan, for example,
establishment of BtCIRT, and cyber security awareness and training initiatives.
After a discussion of Bhutan’s information technology and e-Gov initiatives, the
importance of information security to organisation to safeguard information
confidentiality, integrity and availability from external and internal threats is
highlighted. One of the strategies to safeguard information from threats and attacks in
organisations is to establish an effective information security culture.
The review of existing literature found that senior management support, training &
awareness campaigns, interpersonal trust, information security policy, and
organisational culture are some of the potential factors influencing the establishment
of an effective information security culture. The review also found that very few
studies have investigated the influence of interpersonal trust and organisational culture
on information security culture. The review also suggested that having an effective
information security culture may potentially contribute in nurturing good information
security behaviour.
37
Chapter 3 Research Models and Hypotheses
3.1 Introduction
The previous chapter provided a review of the literature relevant to the research
discussed in this thesis. This chapter presents the research model for the study. and
provides justification for the proposed hypotheses.
This chapter begins with a section discussing the research aim and research questions,
and this is followed by a discussion of constructs of interest. The following section
presents the proposed research model and the hypotheses that are associated with it.
Detailed justifications of the proposed hypotheses are provided. The chapter concludes
with a brief summary of the chapter.
3.2 Research questions
The aim of the research study is to determine the factors that influence the
establishment of an effective information security culture, and to understand the
relationship between information security culture and information security behaviour
in government organisations in Bhutan. To address this research aim, two research
questions were proposed. The first research question relates to the factors that
influence the establishment of an effective information security culture in
organisations:
RQ1 What factors influence the information security culture of government
organisations in Bhutan?
The second research question relates to the role of information security culture in
influencing the information security behaviour of employees:
38
RQ2 How does information security culture influence the information security
behaviour of government employees in Bhutan?
Previous research studies on information security were reviewed to identify factors
that may influence information security culture in organisations. The following section
briefly describes and defines these factors, which are the constructs of interest in the
proposed model, before discussing the proposed research model and hypotheses.
3.3 Constructs of interest
Based on the literature review, the following factors were identified as potentially
influencing information security culture: senior management support, interpersonal
trust, information security training & awareness campaigns, information security
policy, and organisational culture, and having an effective information security culture
was identified as potentially influencing information security behaviour. They form
the basis of the proposed research model and the constructs of interest of the study.
The conceptualisation of organisational culture was further considered, and is based
on the work of Hofstede (1991) because his organisational culture dimensions have
been widely used and accepted in information security studies that conceptualise
organisational culture. Four dimensions of organisational culture (process-versus
results-oriented organisational culture, employee- versus job-oriented organisational
culture, open versus closed system organisational culture, and tightly versus loosely
controlled organisational culture) were identified as relevant for this study. Definitions
of the constructs of interest are provided in Table 3-1.
Table 3-1 Constructs of interest Constructs Definition
Process- versus
results-oriented
organisational culture
A process-oriented organisation is an organisation where
there is more emphasis on following process and procedure
39
rather than outcomes. A results-oriented organisation
focuses on end results and with less emphasis on process.
Employee- versus
job-oriented
organisational culture
In an employee-oriented organisation, employees’ welfare
is emphasised, whereas in a job-oriented organisation,
more emphasis is placed on the job to be done than
employees’ needs and welfare.
Open versus closed
system organisational
culture
In an open system organisation, employees are open to new
ideas and employees and management are welcome to
openly criticize one another when they make mistakes.
Whereas in a closed system organisation, new ideas are not
as easily accepted, and employees and management are less
free to openly criticize one another.
Tightly versus loosely
controlled
organisational culture
In a tightly controlled organisation, employees have to
strictly follow rules and regulations, whereas in a loosely
controlled organisation, rules and regulation are less
strictly adhered to.
Senior management
support
Senior management support refers to the priority given by
management to information security in organisations.
Mobilisation of funds, support to undertake security
training and awareness programs, and participation in
information security communication in the organisation are
some examples of senior management support.
Interpersonal trust Interpersonal trust is the willingness of a person to rely on
another person or party in the belief that they will not
disappoint them intentionally (Deutsch, 1958).
Training & awareness
campaigns
Training & awareness campaigns refers to the various types
of information security training conducted by organisations
and the campaigns undertaken to raise awareness of
information security issues.
40
Information security
policy
An information security policy is a policy document that
governs information security practices in organisations. It
includes rules and responsibilities and is used to safeguard
information assets in the organisation.
Information security
culture
Information security culture is defined as the information
security attitudes, assumptions, beliefs, values, and
knowledge that are used while interacting with
organisational information assets and systems, which may
change employees’ information security behaviour.
Information security
behaviour
Information security behaviour refers to employee
behaviour that protects the information of the organisation
from potential security breaches.
3.4 Research model and hypotheses
No existing information security models were found to capture the range of relevant
relationships suggested by the literature review. Therefore, in order to achieve the
research aim and answer both of the research questions, a research model was
developed specifically for this study drawing from the findings of relevant literature
(e.g., Alnatheer et al., 2012; Chen, Ramamurthy, & Wen, 2015; Tang et al., 2016).
Figure 3-1 shows the proposed research model and associated hypotheses. As can be
seen, RQ1 is addressed by H1 to H8, and RQ2 is addressed by H9. The reminder of
this section describes the hypotheses associated with the proposed research model and
provides supporting evidence for them.
42
Employees in organisations with a process-oriented organisational culture are more
likely to avoid risks and make more limited effort in their work, and employees in a
results-oriented organisational culture tend to take more risks and are more likely to
put in maximal effort (Hofstede, 1991). Tang et al. (2016) proposed that a process-
oriented organisational culture, which is characterised as more conservative towards
new ideas and risks, is more likely to have increased compliance with information
security policies and rules. In such an organisational culture information security
policies are more easily adopted (Kokolakis et al., 2005). Employees in a results-
oriented organisational culture tend to focus more on results and may deviate from set
roles and responsibilities to ensure that the job gets done (Cadden et al., 2013). In such
an organisational culture information security policy compliance is more likely to be
overlooked by the employees (Connolly et al., 2016). It can be concluded that whether
an organisation is more process-oriented or more results-oriented will influence the
information security culture of the organisation. Therefore, it is hypothesised that:
H1: Having a process-oriented organisational culture has a positive influence on
information security culture.
In employee-oriented organisations, employees’ welfare is more likely to be looked
after by the organisation. In such organisations, employees are likely to perform their
jobs well (Cadden et al., 2013). In a job-oriented organisation, the focus is on jobs
rather than employees’ personal development (Tang et al., 2016). In such an
organisation employees may not be as motivated to perform their jobs effectively
(Cadden et al., 2013) and hence they may exhibit negative information security
behaviour (Connolly et al., 2016). Employees in employee-oriented organisations are
more likely to comply with information security guidelines and requirements
(Connolly et al., 2016) and this may be associated with a positive information security
culture. Tang et al. (2016) proposed that the employee-oriented organisational culture
may positively influence information security culture because employees in this type
of organisation are more likely to respond to information security requirements with
43
increased sense of accountability and need for compliance. It is therefore hypothesised
that:
H2: Having an employee-oriented organisational culture has a positive influence on
information security culture.
In an open system organisational culture, employees are more likely to share their
experience and information in support of one another. New employees are welcomed
and more likely to be integrated instantly and effectively (Hofstede, 1991). Whereas,
in a closed system organisational culture, new employees may need more time to feel
comfortable and accepted (Hofstede, 1998). In comparison to closed system
organisations, in an open system organisations it may be easier for management to
explain information security requirements and policies to their employees, and
employees may more readily accept policy changes and be open to new ideas (Tang et
al., 2016). Also in open system organisations, employees’ sense of accountability in
the event of information security breaches may be higher than in closed system
organisations, and employees in open system organisations are likely to experience
improved levels of information security (Connolly et al., 2016). Tang et al. (2016)
proposed a relationship between open versus closed system organisational culture and
information security culture but the relationship has not been investigated. However,
it can be concluded that having an open system organisational culture may positively
influence the information security culture of an organisation. It is therefore
hypothesised that:
H3: Having an open system organisational culture has a positive influence on
information security culture.
Employees who work in tightly controlled organisations are more likely to be
accountable for their actions and may therefore comply with the policy requirements
as part of the work culture, whereas, employees in loosely controlled organisations are
less time and cost conscious, and are more relaxed about the organisation and their
work (Bös et al., 2011). In this type of organisation, information security policy may
not be adhered to strictly (Hofstede, 1998), which may negatively influence the
44
development of an effective information security culture. Chang and Lin (2007)
established that having a tightly controlled organisational culture has a positive
influence on information confidentiality, integrity, availability and accountability,
which are all integral to a good information security culture. Tang et al. (2016) also
proposed a positive relationship between tightly versus loosely controlled
organisational culture and information security culture. Consistent with this, having a
tightly controlled organisational culture is likely to positively influence information
security culture. Therefore, it is hypothesised that:
H4: Having a tightly controlled organisational culture has a positive influence on
information security culture.
Senior management determine organisational information security strategies, and
provide support for information security activities to create an effective information
security culture (Martins & da Veiga, 2015). The types of support provided by senior
management in the implementation of information security activities vary. For
example, senior management provide support to implement information security
policy and programs (Johnston & Hale, 2009; Knapp et al., 2006) and support
communication of information security requirements in the organisation (D'Arcy &
Greene, 2014). Masrek, Harun, Ramli, and Prasetyo (2019) studied the role of senior
management in three aspects of information security practices (information security
policy effectiveness, information security responsibility, and information security
directives). The study found that senior management support is a significant predictor
of these three aspects of information security practices.
The existing literature suggests that high levels of senior management support
contributes to the development of an effective information security culture (e.g.,
Alnatheer, 2012; da Veiga & Eloff, 2007; Kraemer, Carayon, & Clem, 2009; van
Niekerk & von Solms, 2005). For example, in a large qualitative international study,
da Veiga et al. (2020) investigated potential factors necessary to instil the ideal
information security culture. The results showed that the senior management support
is one of the key factors to consider in developing an effective information security
culture. Greene and D’Arcy (2010) also found that senior management support as a
first order construct made a unique contribution to the formation of information
45
security culture. Similarly, Knapp et al. (2006) surveyed 220 certified information
system security professionals across 23 countries to study senior management’s
influence on information security culture. The study showed that the senior
mangement support positively influenced the development of an effective information
security culture. Therefore, it is hypothesised that:
H5: Having support from senior management has a positive influence on information
security culture.
Training and awareness campaigns have been shown to lead to improved information
security behaviours or intentions to comply with security policies (e.g., Puhakainen &
Siponen, 2010; Rocha Flores, Holm, Nohlberg, & Ekstedt, 2015). This may be
mediated via improvements in information security culture.
Information security training and awareness campaigns are provided or conducted in
organisations to develop an effective information security culture, so that potential
information security breaches or risks are properly managed. There is evidence that
having good information security training & awareness campaigns in organisations
positively influences information security culture. For example, Chen et al. (2015)
conducted a study in four major companies in the US to assess the influence of
information security policy, security education, training and awareness programs, and
security monitoring on information security culture. The study found that security
education, training and awareness programs had the strongest influence on the
development of an effective information security culture.
Pierce (2012) surveyed 200 organisational managers, IT professionals, and knowledge
workers and as part of the study investigated the relationship between information
security awareness and training and information security culture. The study found that
information security training & awareness campaigns had the strongest relationship to
information security culture of the factors considered. Similarly, in a survey conducted
in Saudi Arabian organisations, information security training was found to be
46
associated with improved information security culture (Alnatheer et al., 2012).
Therefore, it is hypothesised that:
H6: Having training & awareness campaigns has a positive influence on information
security culture.
Interpersonal trust helps to reduce ambiguity in the workplace by facilitating
socialisation (Weick, 1995). Specifically, people with a high level of interpersonal
trust frequently communicate (Anderson & Narus, 1990) to resolve ambiguity. For
example, in a study by Saint-Charles and Mongeau (2009) about how employees cope
with ambiguity and uncertainty in the workplace, employees were found to rely on
trusted friends to resolve ambiguity. In the information security context, some
employees prefer to discuss ambiguity in information security practices and issues
with trusted friends and colleagues (Dang-Pham et al., 2017). This kind of informal
discussion has been found to promote information security in organisations
(Kirlappos, Parkin, & Sasse, 2014).
Koskosas et al. (2011) reports that higher levels of interpersonal trust lead to positive
outcomes in terms of performance. For example, increased interpersonal trust leads to
higher levels of knowledge sharing (Hsu & Chang, 2014; Renzl, 2008). Safa and von
Solms (2016) also found that interpersonal trust positively influences information
security knowledge sharing behaviour. Specifically, interpersonal trust plays a critical
role in the development of relationships that facilitate knowledge sharing amongst
individuals (Chen, Lin, & Yen, 2014).
In the information security context, having a knowledge sharing culture helps to reduce
information security breaches, and increases information security awareness (Safa &
von Solms, 2016), and this may help cultivate good information security behaviour. In
a study on the role of interpersonal influence on information security behaviour in the
workplace, Dang-Pham et al. (2017) found that employees who are trusted positively
influence information security behaviours. This study contends that the positive
influence on information security behaviour of interpersonal trust is mediated by
47
information security culture, and this is consistent with the view of several authors
who have argued that interpersonal trust is important in creating an ideal information
security culture (Astakhova, 2020; da Veiga et al., 2020; da Veiga & Eloff, 2010;
Ruighaver et al., 2007). Therefore, it is hypothesised that:
H7: Having interpersonal trust has a positive influence on information security
culture.
Information security policy provides a foundation to create shared information security
values and beliefs in the organisation (Alnatheer & Nelson, 2009; Box & Pottas, 2013;
Sherif et al., 2015b). Information security policy communicates desirable information
security behaviour and states what is expected of employees (Martins & Eloff, 2002).
It has been reported that employees often think that implementing or complying with
information security policy may reduce their efficiency in the work place (Bulgurcu et
al., 2010). However, employees who comply with information security policy
requirements safeguard information assets from information threats and risks (Safa et
al., 2016). Shaaban and Conrad (2013) found that 80% of the organisations they
surveyed had suffered from virus attacks because the employees were not aware or
complying with information security policy requirements.
Information security researchers have identified information security policy as one of
the factors influencing the establishment of an effective information security culture
(e.g., AlHogail, 2015a; da Veiga et al., 2020; Sherif et al., 2015b; Tolah et al., 2017).
Acuña (2017) proposed a research model based on the Theory of Planned Behaviour
(Ajzen, 1991) to examine the factors that influence intention to comply with a
comprehensive computer security policy. The model proposed a relationship between
having comprehensive computer security policy and intention to comply with
computer security policy, which is mediated by attitude, normative belief, and self-
efficacy. This model was tested in a later study by Acuña (2018) which found that
computer security policy influenced employees’ intention to comply with computer
security policy and that this relationship was mediated by attitude and normative
48
belief, which are part of information security culture. In addition, da Veiga and Martins
(2017) conducted an empirical study to assess information security culture across 12
countries over eight years in four intervals from 2006-2013. The study found that
information security culture significantly improved after implementation of
information security policy interventions. Therefore, it is hypothesised that:
H8: Having information security policy has a positive influence on information
security culture.
D’Arcy and Greene (2009) examined the influence of information security culture on
two types of user behaviours (security policy compliance and security extra-role
behaviour also known as proactive security behaviour). The study provided strong
evidence that an effective information security culture contributes to both complaint
user behaviour and extra-role behaviour. In a later study D'Arcy and Greene (2014)
considered information security culture as a second order contruct with three
dimensions and investigated its influence on information security compliance
behaviour. The study showed that information security culture had a postive influence
on information security compliance behaviour. Similarly, information security culture
(conceptualised with the dimensions of management commitment, accountability and
information security awareness) was found to have a positive effect on employee
information security compliance behaviour (AlKalbani et al., 2015). Nasir, Arshah,
and Ab Hamid (2020) also confirmed the role of information security culture in
influencing employee’s information security behaviour. Based on the above empirical
findings, it is hypothesised that:
H9: Having an effective information security culture has a positive influence on
information security behaviour of employees.
A summary of the hypotheses is provided in Table 3-2.
49
Table 3-2 Summary of hypotheses
H1: Having a process-oriented organisational culture has a positive influence on information security culture.
H2: Having an employee-oriented organisational culture has a positive influence on information security culture. H3: Having an open system organisational culture has a positive influence on information security culture. H4: Having a tightly controlled organisational culture has a positive influence on information security culture.
H5: Having support from senior management has a positive influence on information security culture. H6: Having training & awareness campaigns has a positive influence on information security culture. H7: Having interpersonal trust has a positive influence on information security culture.
H8: Having information security policy has a positive influence on information security culture.
H9: Having an effective information security culture has a positive influence on information security behaviour of employees.
3.5 Chapter overview
The aim of the research study is to determine the factors that influence the
establishment of an effective information security culture, and to understand the
relationship between information security culture and information security behaviour
in government organisations in Bhutan. To address this research aim, two research
questions were proposed. The first research question relates to determining factors that
influence the establishment of an effective information security culture, and the second
research question relates to understanding the role of information security culture in
influencing the information security behaviour of employees.
50
A research model was developed to help answer these research questions. The model
includes interpersonal trust, senior management support, training & awareness
campaigns, information security policy, organisational culture (process- versus
results-oriented organisational culture, employee- versus job-oriented organisational
culture, open versus closed system organisational culture, and tightly versus loosely
controlled organisational culture) as potential factors influencing information security
culture. It also proposes that information security culture influences information
security behaviour. The nine hypotheses associated with the model were discussed in
this chapter.
The next chapter provides a detailed description of research method adopted for testing
these proposed hypotheses (H1 to H9).
51
Chapter 4 Research Methodology
4.1 Introduction
The previous chapter described the research model for the study and the hypotheses
associated with it. This chapter discusses the methodology adopted to achieve the aim
of the research.
This chapter begins with a discussion of the overall research design, after which the
research sample and recruitment of the participants for the study is described. The next
section describes development of the questionnaire and the pre-testing of it. The data
collection procedure for the study is then provided. The following section provides a
description of the data analysis techniques used for the study. Lastly, the chapter ends
with an overview.
4.2 Research design
Qualitative and quantitative research methods are widely applied in academic research.
The nature, purpose and context of the study determine the selection of research
methods (Bryman & Burgess, 1999). A quantitative research method is appropriate
when testing relationships between variables (Mehrad & Tahriri, 2019). The aim of
this research study is to determine the factors that influence the establishment of an
effective information security culture, and to understand the relationship between
information security culture and information security behaviour in government
organisations in Bhutan. Therefore, a quantitative research method was considered
appropriate and was chosen to facilitate testing of the proposed research model.
A survey data collection method was adopted because it would enable the soliciting of
the perceptions of government employees in their natural work setting, in order to
52
measure constructs such as interpersonal trust, and information security culture. Also,
the method would help in collecting data on information security behaviours that are
difficult to observe. The survey method is also relatively easy to administer (Shapiro
et al., 2004).
The population of interest of the research study is civil servants in Bhutan. As the civil
servants in Bhutan are stationed and working in different regions across Bhutan, an
online data collection approach was considered most appropriate, and a cross-sectional
online questionnaire was chosen to collect data. This is because it is a cost effective
approach to collecting data quickly from a large sample to enable completion of the
research study on time.
4.3 Participants
The population of interest for the research was employees of the government
organisation in Bhutan. The recruitment of participants was undertaken in
collaboration with the Department of Information Technology & Telecom (DITT),
which is under the Ministry of Information and Communications (MoIC). Necessary
government approval to survey their employees was sought and the MoIC provided
approval to undertake the research study including the collection of data (see Appendix
B).
After the approval was received, recruitment was conducted in collaboration with
DITT. This was appropriate because the DITT is mandated by the government to
oversee government information technology related projects (both research and
infrastructure), policy formulation and implementations, and also acts as an advisor to
the government on information technology related initiatives. DITT also has a
database of email addresses of all government employees in Bhutan. The benefits of
gaining access to potential participants by collaborating with DITT can be summarized
as follows:
53
i. A balanced mix of government employees was sought in terms of educational
and occupational background. DITT were able to facilitate access to the full
range of government employees across the following occupational categories:
operational (civil servants in position level O4 to O1), supervisory and support
(civil servants in position level S5 to SS1), professional and management (civil
servants in position level P5 to P1) and executive (civil servants in position
level EX3/ES3 to EX1/ES1).
ii. DITT provided easier and quicker access to potential participants because of
their government wide databases of email addresses of government employees
and also because they have strong intragovernmental linkages.
iii. DITT’s involvement provided a higher level of authenticity and helped
generate trust in the research, since the research was approved by MoIC and
conducted with support from DITT.
According to Hair, Sarstedt, Ringle, and Hult (2017), the sample size for PLS-SEM
model testing should be equal to or more than ten times the largest number of structural
paths directed at a particular construct in the structural model or ten times the largest
number of formative indicators used to measure one construct. In this research eight
structural paths are directed to information security culture, therefore, the minimum
sample size needed to test the proposed model is 80. An initial sample size of at least
150 was sought to allow for any partial completions and invalid responses.
4.4 Human ethics considerations
Ethical approval was sought from the Human Research Ethics Committee at Murdoch
University. The research was conducted under the approved project number 2018/076.
The human research ethics approval document is presented in Appendix C.
54
4.5 Questionnaire development
This section discusses how the questionnaire was developed. Firstly, this section
discusses the questions and measurement scales used to obtain demographic and
background information about the participants, and then it describes the measurement
items adopted to measure the constructs in the proposed research model.
All of the constructs were considered first order reflective constructs except for
information security behaviour. The items to measure the constructs were adapted
from previous information security research where possible. A complete copy of
questionnaire that was made available online to the participants is provided in
Appendix D.
4.5.1 Demographic and background information
This part of questionnaire obtained demographic and background information about
the participants. This was collected to conduct descriptive analysis of the participants
and the organisations they worked in. The questions collected data relating to
participants’ gender, age, highest educational qualification, and their workplace and
position as presented in Table 4-1.
55
Table 4-1 Demographic and background information questions
Questions Scales/Options
What is your gender? Male/Female
How old are you? Years
What is the highest level of education you have
completed?
Completed year 10
Completed year 12
Completed certificate/diploma
Completed undergraduate degree
Completed master’s degree
Completed PhD/doctoral degree
Which organisation do you currently work for? Open-ended question
What is your designation and position level?
(e.g., Sr. Program Officer and P3)
Open-ended question
Please select the field in which you are currently
employed
Information technology and telecommunications
Finance and budget
Trade and industry
Energy
Medical and healthcare
Local government
Census and immigration
Mineral and mines
Audit
Anti-corruption
How long have you been working for your
current organisation?
Open-ended question
How many years have you been employed in the
civil service?
Open-ended question
56
A series of questions about workplace behaviour that might be relevant to information
security culture and behaviour were also asked (see Table 4-2).
Table 4-2 Information security related questions
Questions Scales/Options
Do you use laptops and/or computers in your
work?
Yes/No
Do you take work laptops home? Yes/No/Not Applicable
How would you rate your level of information
security knowledge/skills?
5-point scale from ‘None’ to
‘Expert’
What methods do you use to dispose of sensitive
information/data that is no longer needed?
Open-ended question
How often have you shared work-related
information on social networking sites?
Often/Never
If you have shared work-related information on
social networking sites, which sites have you
used to do so?
Others (please specify)
57
4.5.2 Organisational culture
All items to measure dimensions of organisational culture were adopted from Verbeke
(2000) and Cadden et al. (2013) with minor changes to wording made to suit the
research context. Consistent with Cadden et al. (2013) the measurement items used a
5-point Likert scale ranging from ‘Strongly Disagree’ (1) to ‘Strongly Agree’ (5). The
dimensions of organisational culture that were measured are process- vs results-
oriented (OC_PR), employee- versus job-oriented (OC_EJ), open vs closed system
(OC_OC), and tightly vs loosely controlled (OC_TL). The set of measurement items
used to measure these dimensions of organisational culture are presented in Table 4-3.
A process-oriented organisation is one where there is more emphasis on following
process and procedure rather than outcomes. After reverse coding, higher levels of
agreement with the items to measure this construct represent that the organisational
culture is more process-oriented. Similarly, after reverse coding, higher levels of
agreement with the items to measure employee- versus job-oriented indicate that the
organisation places more emphasis on employee welfare than would occur in a job-
oriented organisation.
In an open system organisation, employees are open to new ideas and employees and
management are welcome to openly criticize one another when they make mistakes.
Whereas in a closed system organisation, new ideas are not as easily accepted. Higher
levels of agreement with the items used to measure this construct indicate that an
organisation has a more open system organisational culture.
Tightly vs loosely controlled organisational culture relates to the degree to which rules
and regulations are strictly adhered to. After reverse coding, higher levels of agreement
with the items to measure this construct represent that that an organisation is perceived
by employees to be more tightly controlled.
58
Table 4-3 Measurement items for organisational culture
Identifier Measurement item
Process- vs results-oriented organisational culture
OC_PR1 At my work when confronted with problems, people are rarely helped
by people from other organisations
OC_PR2* At my work the tasks of employees that are absent are usually taken
over by colleagues
OC_PR3* At my work requests from other organisations are usually carried out
without delay
OC_PR4* At my work on special projects, there is quick cooperation between
the various divisions/departments
OC_PR5 At my work the employees contribute their bit by directly following
the prescribed methods of the managers
Employee- versus job-oriented organisational culture
OC_EJ1* At my work when people do not feel happy about their job, but still
perform well, little or nothing is done for them
OC_EJ2 At my work whenever an employee is ill, or when something has
happened in their personal life managers ask after their problem with
interest
OC_EJ3 At my work employees are encouraged to take training courses and to
go to seminars and conferences to help their self-development
OC_EJ4 At my work if there are personal conflicts between employee, the
managers attempt to solve these problems
OC_EJ5* At my work my manager shows little or no interest in birthdays,
marriages and births
OC_EJ6 At my work employees usually have a say in matters that directly
involve them
OC_EJ7 At my work managers compliment employees on work well done
OC_EJ8 At my work senior management ensures that my job does not become too pressurised
59
Open versus closed system organisational culture
OC_OC1 At my work if a manager has a criticism of an employee he or she
discusses it openly with them
OC_OC2 At my work employees express any criticisms of management directly
to them
OC_OC3 At my work employees are asked for constructive criticism of
managers
OC_OC4 At my work the mistakes of a colleague are mainly discussed behind
his or her back
Tightly versus loosely controlled organisational culture
OC_TL1 At my work managers always check if the employees are working
OC_TL2 At my work if an employee is little late for an appointment with the
manager, he or she will be reprimanded
OC_TL3 At my work if an employee goes to a medical check-up during
working hours, there is a check on how long he or she stays away
OC_TL4 At my work employees’ work-related expenses have to be specified in
detail
OC_TL5* At my work if an employee is 15 minutes late for work, but stays on
for an extra 15 minutes at the end of the day the management usually
do not bother too much
OC_TL6* At my work the number and duration of the breaks employees take are
rarely checked by the managers
OC_TL7 At my work if an employee has to go to an important appointment,
she/he has to convince the manager of the importance of the
appointment
*Reverse coded
60
4.5.3 Senior management support
All six items used to measure senior management support were adopted from Knapp
et al. (2006), with minor changes to wording made to suit the research context. No
items were deleted or added because construct validity and reliability were
demonstrated in the study by Knapp et al. (2006). The construct was measured using
a 7-point Likert scale ranging from ‘Strongly Disagree' (1) to ‘Strongly Agree' (7). The
set of measurement items for senior management support is presented in Table 4-4.
Table 4-4 Measurement items for senior management support
Identifier Measurement item
SMS1 Senior management considers information security an important
organisational priority
SMS2 Senior executives are interested in security issues
SMS3 Senior management takes security issues into account when planning
corporate strategies
SMS4 Senior leadership’s words and actions demonstrate that security is a
priority
SMS5 Visible support for security goals by senior management is obvious
SMS6 Senior management gives strong and consistent support to the
security program
4.5.4 Training & awareness campaigns
All six items use to measure training & awareness campaigns were adopted from
Knapp (2005), with minor changes made to wording to suit the research context. No
items were deleted or added because construct validity and reliability were
demonstrated in the study by Knapp (2005). The construct was measured using a 7-
point Likert scale ranging from ‘Strongly Disagree’ (1) to ‘Strongly Agree’ (7). The
61
set of measurement items for training & awareness campaigns is presented in Table
4-5.
Table 4-5 Measurement items for training & awareness campaigns
Identifier Measurement item
ITA1 Necessary efforts are made to educate employees about new security
policies
ITA2 Information security awareness is communicated well
ITA3 A variety of business communications (notices, posters, newsletters,
etc.) are used to promote security awareness
ITA4 An effective security awareness program exists
ITA5 A continuous, ongoing security awareness program exists
ITA6 Users receive adequate security refresher training appropriate for their
job function
4.5.5 Interpersonal trust
All five items used to measure interpersonal trust were adopted from Hallikainen and
Laukkanen (2018). No changes were made to the items. The construct was measured
using a 7-point Likert scale ranging from ‘Strongly Disagree’ (1) to ‘Strongly Agree’
(7). The set of items to measure interpersonal trust is presented in Table 4-6.
Table 4-6 Measurement items for interpersonal trust
Identifier Measurement item
Trust1 I generally trust other people
Trust2 I generally have faith in humanity
Trust3 I feel that people are generally well meaning
Trust4 I feel that people are generally trustworthy
Trust5 I feel that people are generally reliable
62
4.5.6 Information security policy
All three items to measure information security policy were adopted from D'Arcy,
Hovav, and Galletta (2009). The construct was measured using a 7-point Likert scale
ranging from ‘Strongly Disagree’ (1) to ‘Strongly Agree’ (7). The set of items to
measure information security policy is presented in Table 4-7.
Table 4-7 Measurement items for information security policy
Identifier Measurement item
ISP1 My organisation has established rules of behaviour for use of
computer resources
ISP2 My organisation has a formal policy that forbids employees from
accessing computer systems that they are not authorized to use
ISP3 My organisation has specific guidelines that govern what employees
are allowed to do with their computers
4.5.7 Information security culture
All six items used to measure information security culture were adopted from the
Knapp et al. (2006) study on information security culture. Minor changes to wording
were made to suit the research context. The construct was measured using a 7-point
Likert scale ranging from ‘Strongly Disagree’ (1) to ‘Strongly Agree’ (7). The set of
measurement items for the information security culture construct is presented in Table
4-8.
63
Table 4-8 Measurement items for information security culture
Identifier Measurement item
ISC1 In my organisation employees value the importance of information
security
ISC2 In my organisation a culture exists that promotes good information
security practices
ISC3 In my organisation information security has traditionally been
considered an important organisational value
ISC4 In my organisation practicing good information security is the
accepted way of doing business
ISC5 In my organisation the overall environment fosters information
security-minded thinking
ISC6 In my organisation information security is a shared key norm
4.5.8 Information security behaviour
Six items were developed specifically for this study to measure information security
behaviour (see Table 4-9).The user security behaviours discussed by Pattinson and
Anderson (2007) were used as a starting point to develop these measurement items.
They used password management, email use, internet use, social networking site use,
incident reporting, mobile computing and information handling as their information
security behaviour focus areas. The items were measured using a 5-point scale ranging
from ‘Never (1) to ‘Very frequently’ (5). A composite measure of information security
behaviour was calculated for each participant as the average of these six items.
64
Table 4-9 Measurement items for information security behaviour
Identifier Measurement item
ISB1 How often do you change your passwords for work systems?
ISB2* How often do you backup work-related data on personal portable
devices?
ISB3* How often have you installed non-licensed or unauthorised software
on your work computers/laptop?
ISB4* How often do you share work related information or data with
unauthorized people you trust?
ISB5 In my organisation the overall environment fosters information
security-minded thinking
ISB6 Do you follow information security policies and processes in your
work place?
* Reverse coded
4.6 Pre-testing
After development of the draft questionnaire, five pre-testers were identified from the
pool of government employees of Bhutan who were studying postgraduate degrees at
Western Australian universities. Of the five pre-testers, three had worked in the
information technology field and two had worked in administration and accounting.
In this phase, both hard copies of the draft questionnaire and a link to the online
questions in SurveyMonkey were sent to five pre-testers. The purpose of the pre-
testing was to seek general feedback and comments on the measurement items, and to
establish face validity of the measurement items. Face validity is the extent to which
the measurement items appear to measure the construct they are intended to measure,
as determined by those who will be surveyed (Hair, Black, Babin, & Anderson, 2010).
65
The pre-testers generally found the measurement items to be clear and understandable,
but comments and suggestions provided by them were used to improve the
questionnaire; for example, wording that they found difficult to understand was
clarified to better suit the local context. The data gathered in this phase were not used
in the analysis of the results.
4.7 Data collection procedure
The online questionnaire was created and administered using SurveyMonkey
(http://www.surveymonkey.com). SurveyMonkey was chosen because it has
capabilities to automate (design, create and administer) the survey process and also
has some analytical tools useful during the analysis of the results.
As discussed in Section 4.3, the data was collected in collaboration with the DITT in
Bhutan. Firstly, the potential participants were identified in consultation with them,
and then email invitations that included a web link to participate in the survey were
sent to the participants. In the email invitation the purpose of the research and intended
outcomes were explained and information about a prize draw for those participating
was provided. The contact details of the researchers and information about ethics
approval were also provided in the email invitation. The participants were also
informed that all responses to the questionnaire would be anonymous, and that no
identifying details were collected.
The introductory screen (information letter) of the questionnaire (see Appendix E)
repeated the information provided in the recruitment email and asked participants to
provide consent to participate in the survey by clicking ‘Yes’ to a question asking for
consent. Those who did not wish to participate were given the option to decline and
exit. At the end of the questionnaire the participants were thanked and were asked
whether they wished to participate in a prize draw. The participants who wished to do
so were asked to provide name, contact number and email address. The questionnaire
was intended to take no longer than 15 minutes to complete.
66
4.8 Data analysis technique
In this study, the data collected was analysed using PLS-SEM. An ordinary least
squares regression method is used in PLS to estimate relationships in a research model
(Hair et al., 2017). PLS-SEM using SmartPLS 3.0 (Ringle et al., 2015) and
bootstrapping with 500 subsamples was used to test the research model.
A PLS model consists of two elements. The first element of the path model is the
measurement model, also called the outer model. The measurement model describes
the relationships between the constructs and their measures or indicators. The second
element of the path model is the structural model, also referred to as an inner model.
The structural model represents the relationships between the constructs. A two-step
process which involved separate assessments of the measurement model and the
structural model was used. The PLS model assessment initially focused on the
measurement model. After evaluation of the measurement model the next step was the
assessment of the structural model.
Figure 4-1 shows the data analysis techniques used in this research study. Detailed
descriptions of how the measurement and structural models were assessed are provided
in Sections 4.8.1 to 4.8.2.
4.8.1 Assessment of measurement model
In the measurement model internal consistency of all constructs except information
security behaviour was assessed using composite reliability (CR), and Cronbach’s
alpha was also calculated for comparison purposes. Convergent validity (CV) of these
constructs was then examined by assessing outer loadings and average variance
extracted (AVE). Lastly, discriminant validity (DV) of the constructs was assessed by
three separate approaches (cross loadings, Fornell-Larcker criterion and the
heterotrait-monotrait (HTMT) ratio of correlations) as suggested by Hair et al. (2017).
As discussed in Section 4.5.7, information security behaviour was treated as a
composite variable.
68
4.8.1.1 Internal consistency
Internal consistency is the extent to which all of the measurement items for a construct
measure the same construct. CR provides an estimate of reliability based on the inter-
correlations of the measurement items to determine the internal consistency of a
construct’s measurement items.
CR is interpreted in the same way as Cronbach’s alpha. It is recommended that the CR
values should be between 0.70 and 0.90. Values above 0.95 are not recommended as
this indicates that the items are measuring the same facets of the construct in question
(Hair et al., 2017). The Cronbach’s alpha values of the constructs were also calculated
for the comparison purposes in this study. Cronbach’s alpha of above 0.6 is
recommended for exploratory research (Hair et al., 2017).
4.8.1.2 Convergent validity
CV is the extent to which a measure and alternative measures of the same construct
are positively correlated. All measurement items that measure a construct should share
a large amount of variance with each other (Hair et al., 2017). CV was evaluated by
assessing outer loadings of measurement items, and the AVE for each construct.
Outer loading strength indicates a measurement item's total contribution to the
construct. In this study, all measurement items with outer loadings above 0.708 were
retained as recommended by Hair et al. (2017). All measurement items with outer
loadings between 0.4 to 0.6 were examined for deletion. Measurement items were
considered for deletion if doing so improved the values of CR and AVE. All
measurement items with outer loadings below 0.4 were removed as advised by Hair et
al. (2017).
69
AVE is the average amount of variance in the measurement items that is accounted for
by the construct. It is recommended that AVE of each construct should be at least 0.5
to establish CV (Hair et al., 2017).
4.8.1.3 Discriminant validity
DV refers to the extent to which a construct is truly a unique from other constructs and
it captures a phenomenon that is not represented by other constructs in the PLS model.
DV refers to a construct having unique and distinct characteristics that do not represent
other constructs in the PLS model path. To evaluate DV, item cross loadings, the
Fornell-Larckner criterion, and HTMT were used in the study (Hair et al., 2017).
In the cross loadings method, DV is determined by comparing the cross loadings of
measurement items of a construct with other constructs. DV is established if the
loadings of the items of a construct on the associated construct are greater than any of
the cross-loadings on other constructs (Hair et al., 2017).
In the Fornell-Larckner method, DV is determined by establishing if the square root
of each construct’s AVE is greater than its correlations with any of the other constructs.
This establishes that each construct shares more variance with its measurement items
than it does with the other constructs.
Henseler, Ringle, and Sarstedt (2015) proposed also assessing DV by using HTMT
ratio. The HTMT ratio is the average of correlations of the measurement items across
constructs measuring different phenomena relative to the average of the correlations
of measurement items within the same construct. In this approach, HTMT values were
examined against the maximum threshold value of 0.85 (Hair et al., 2017). In addition
to this, as recommended by Hair et al. (2017) the lower bound (2.5%) and upper bound
(97.5%) of the 95% (bias-corrected and accelerated) confidence interval were obtained
using PLS-SEM. These confidence intervals (upper and lower bounds) were examined
to see whether they included the value 1, which would indicate a lack of DV.
70
4.8.2 Assessment of structural model
In this phase, the assessment of the structural (inner) model was conducted, where the
relationships between constructs and predictive capabilities of the model were
examined. The structural model, as suggested by Hair et al. (2017), was assessed on:
1) collinearity; 2) path coefficients; 3) total effects; 4) coefficient of determination
(R2); 5) effect size (f 2); 6) predictive relevance (Q2); and 7) effect size (q2).
4.8.2.1 Collinearity
Collinearity assessment determines the level of correlation between constructs. A
strong level of false predictability is observed if there is a high rate of correlation
between constructs in the PLS path model. To assess this the variance inflation factor
(VIF) values of all sets of predictors were examined. VIF values above 0.5 indicate
collinearity problems among constructs (Hair et al., 2017).
4.8.2.2 Path coefficients
Path coefficients represent the hypothesized relationships among the constructs. Path
coefficient values range between -1 and +1. Path coefficients with values below 0.2
are considered weak, 0.2 to 0.5 are considered moderate and above 0.5 are considered
strong (Cohen, 1988). A path coefficient was assumed significant when the t value was
larger than 1.96 (significance level of 5 % (two-tailed test)).
4.8.2.3 Total effects
In this study, total effects were assessed to determine how strongly each of the
independent constructs ultimately influences the dependent constructs (information
security culture and information security behaviour) via the mediating constructs. A
71
total effect is the sum of the direct effects between independent constructs and any
other indirect effects on dependent constructs via mediating constructs.
4.8.2.4 Coefficient of determination (R2)
Coefficient of determination or R2 represents the combined effects of all independent
constructs on the dependent construct. R2 ranges from 0 to 1. A higher R2 indicates a
higher level of predictive accuracy of the PLS path model. In this study R2 values of
0.75, 0.50, and 0.25 for the dependent constructs were considered as substantial,
moderate, and weak ability to explain the variance in the constructs (Hair et al., 2017).
4.8.2.5 Effect size (f2)
Effect size (f2) values were examined to find out the level of impact of each of the
independent constructs on the dependent constructs. f2 values were obtained by
observing change in the variance of a dependent construct in the PLS path model when
independent constructs were removed. f2 values of 0.02 were considered as a small
effect, 0.15 as a medium effect, 0.35 as a large effect, and f2 values of less than 0.02
were considered as having no effect (Cohen, 1988).
4.8.2.6 Predictive relevance (Q2)
Predictive relevance or Q2 is a measure of the quality of the PLS path model. Q2
indicates the ability of the path model to accurately predict the collected data values.
As recommended by Hair et al. (2017) Q2 values larger than 0 indicate that the PLS
path model holds predictive relevance for the dependent constructs.
72
4.8.2.7 Effect size (q2)
Effect size q2 was assessed to determine predictive relevance of each independent
construct on the dependent constructs in PLS path model. The q2 values were
calculated manually using the following formula since the SmartPLS 3.0 (Ringle et
al., 2015) software does not provide q2 valuesreadily:
q2= Q2included-Q2excluded
(1-Q2included)
As suggested by Hair et al. (2017), q2 values less than 0.02 were considered to indicate
small predictive relevance effect sizes, q2 values between 0.02 to 0.35 indicate medium
predictive relevance effect sizes, and q2 values of 0.35 and above indicate large
predictive relevance effect sizes.
4.9 Chapter overview
This chapter described the research methods adopted for the study, including the
procedures and techniques used to collect and analyse data. The target population for
this study is employees of government organisations in Bhutan and the study used a
quantitative research method administered via an online questionnaire to collect data.
The chapter describes the development of the measurement items, most of which were
adopted from existing information security research. The draft questionnaire was pre-
tested by members of the target population, and the participants were recruited in
collaboration with the DITT in Bhutan. The questionnaire was created and
administered using SurveyMonkey.
The chapter also discussed the data analysis techniques used for the study. The data
collected was analysed using PLS-SEM with SmartPLS 3.0 (Ringle et al., 2015). The
measurement model was first evaluated for CR, CV and DV. Then the structural model
73
was assessed for collinearity, path coefficients, total effects, coefficient of
determination, effect size (f2), predictive relevance (Q2), and effect size (q2).
The next chapter presents the results obtained from the analysis of the data collected
and analysed as described in this chapter.
75
Chapter 5 Data Analysis and Results
5.1 Introduction
The previous chapter discussed the research methods and data analysis techniques used
in the research. This chapter provides the results of the data analysis undertaken to test
the research model and answer the research questions.
The chapter starts with background information about the participants and their use of
technology in the workplace. In the next section the evaluation of the research model
is provided. Firstly, the results of the assessment of the measurement model are
presented. This is followed by the results obtained from the structural model
assessment, which include path coefficients and the variability in the dependent
constructs that is explained by the model. The chapter concludes with a summary of
the findings.
5.2 Descriptive statistics
In this section descriptive statistics about the participants in terms of gender, age,
educational qualification, number of years worked, personal use of work computers,
use of social networking sites in the workplace, and self-reported information security
knowledge and skills are provided. There were 181 valid completions of the online
questionnaire.
Of the participants who provided information about their gender, 117 (65.4%) were
male and 62 were female (34.6%). RCSC (2019a) reported that the Bhutan civil service
sector is 63.1% male and 36.9% female, thus this gender distribution was
representative of the Bhutan civil service sector.
76
Table 5-1 shows the age distribution of the participants. The largest category of
participants was those between 31 and 35 years of age (32.7%), followed by those in
the 26-30 (22.6%) and 46-50 (19.2%) years of age categories. The participants’ mean
age was 35 years, and the median age was 34 years. The median age for Bhutan civil
servants is also 34 years (RCSC, 2019a). The participants were therefore
representative of civil servants in Bhutan in terms of age.
Table 5-1 Age distribution
Age group Number Percent
21-25 9 5.1
26-30 40 22.6
31-35 58 32.7
36-40 34 19.2
41-45 17 9.6
46-50 12 6.8
51-55 4 2.3
56-60 3 1.7
177 100
The participants had worked a minimum of 1 year and a maximum of 36 years in the
civil service sector, with an average working experience of 11 years. Civil servants in
Bhutan have worked an average of 11 years in the civil service sector (RCSC, 2019a).
Therefore, the participants were representative of the civil service sector in terms of
length of employment.
Of the 161 participants who provided valid responses, 26 (16.1%) worked in
information technology jobs and the remaining 135 (83.9%) in non-information
technology jobs such as audit, finance, budget, administration, human resources,
survey, health, roads and construction. Civil servants working in information
technology jobs were over represented in the sample, as RCSC (2019a) reports that
only 1.13% of Bhutanese civil servants are employed in information technology jobs.
77
Table 5-2 shows the highest level of educational qualification completed by
participants. More than half of the participants (53.4%) have completed an
undergraduate university degree and 28.6% a masters degree. RCSC (2019b) reports
that 29.32% of civil servants have completed undergraduate degrees and 9.9% have
completed master degrees. Therefore, civil servants who have completed masters
degrees and undergraduate degrees were over represented in the study.
Table 5-2 Educational background
Highest level of education Number Percent
Completed year 10 7 3.9
Completed year 12 6 3.4
Completed certificate/diploma 19 10.7
Completed undergraduate degree 95 53.4
Completed masters degree 51 28.6
Completed PhD/doctoral degree 0 0
178 100
As shown in Table 5-3 the majority of participants (68.0%) reported that they use
office computers for personal business, and 71.1% take office computers home for
personal business.
As shown in Table 5-4, the majority (69.3%) of participants did not use social
networking sites to exchange work related information. However, 30.7% of the
participants reported using social networking sites to exchange work related
information. Of those who had exchanged work related information using social
networking sites, Facebook was most commonly used (32% of the 55 who had done
so), followed by WeChat (23.8%) and WhatsApp (13.8%). This finding highlights the
risk that social networking poses in the workplace in Bhutan.
78
Table 5-3 Use of office computers
Categories Number Percent
Use office computer
for personal
business
Yes 123 68.0
No 54 29.8
NA 4 2.2
181 100
Take office
computer to home
Yes 128 71.1
No 43 23.9
NA 9 5.0
181 100
Table 5-4 Use of social networking sites for work
Use of social networking sites to exchange work information Number Percent
Often 55 30.7
Never 124 69.3
179 100
As shown in Table 5-5 the majority of participants (63.9%) believed that they had
average levels of information security knowledge and skills. A very low percent of
participants (2.8%) believed that they had expert levels, and a very low percent of
participants (3.3%) reported that they had no prior knowledge of information security.
Table 5-5 Level of information security knowledge and skills
Information security knowledge and skills Number Percent
None 6 3.3
Below average 8 4.4
Average 115 63.9
Good 46 25.6
Expert 5 2.8
180 100
79
5.3 Research model evaluation
This section presents the results of the testing of the proposed research model using
the data analysis techniques discussed in Section 4.8. In this section, firstly the results
of the measurement model evaluation are provided, followed by the structural model
evaluation.
5.3.1 Measurement model evaluation
As discussed in Section 4.8.1, the measurement model was assessed for internal
consistency, CV and DV. Internal consistency was assessed using CR. CV was
assessed using outer loadings and AVE, and DV was assessed using three different
methods (cross loadings, Fornell-Larcker criterion, and HTMT).
5.3.1.1 Internal consistency
CR provides an estimate of reliability based on the inter-correlations of the
measurement items to determine the internal consistency of a construct’s measurement
items. CR values should be between 0.70 and 0.90, and CR above 0.95 is not
recommended as the measurement items of the construct in question measure the same
phenomenon (Hair et al., 2017).
Table 5-6 presents initial CR and Cronbach’s alpha of the constructs. As can be seen
in Table 5-6, all constructs were found to have CR values of above 0.70 as
recommended by Hair et al. (2017). Senior management support had the highest CR
with 0.955, which is above the recommended threshold. Therefore, the measurement
items of senior management support were reviewed and considered for removal.
80
Table 5-6 Initial CR and Cronbach’s alpha of the constructs
Construct CR Cronbach’s alpha
Process- vs results-oriented organisational culture 0.771 0.603
Employee-versus job-oriented organisational culture 0.881 0.839
Open vs closed system organisational culture 0.809 0.689
Tightly vs loosely controlled organisational culture 0.749 0.502
Senior management support 0.955 0.944
Training & awareness campaigns 0.924 0.902
Interpersonal trust 0.921 0.893
Information security policy 0.921 0.872
Information security culture 0.910 0.882
Information security behaviour* - -
* As a composite variable was used to represent information security behaviour, CA and Cronbach’s alpha were not computed
The PLS-SEM algorithm was re-run after sequentially removing each of the
measurement items for senior management support to determine if there was any
decrease in CR. Removal of the measurement item SMS3 decreased CR to 0.948.
Therefore, SMS3 was removed and the other measurement items for senior
management support were retained.
Cronbach’s alpha was also calculated for comparison purposes (see Table 5-6).
Cronbach’s alpha is sensitive to the number of items in the scale and generally provides
lower reliability values than CR, and Cronbach’s alpha of 0.6 is considered acceptable
in exploratory research (Hair et al., 2017). Although the Cronbach’s alpha for tightly
versus loosely controlled organisational culture (0.502) was less than 0.6, all
measurement items were retained for further measurement model analysis as CR was
acceptable.
5.3.1.2 Convergent validity
CV is the extent to which a measure and alternative measures of the same construct
are positively correlated. In the next part of the measurement model assessment, the
81
CV of the constructs was first assessed by examining the outer loadings of the
measurement items. As suggested by Hair et al. (2017) for reflective indicators,
measurement items with outer loadings below 0.4 were considered for deletion,
measurement items above 0.4 and below 0.708 were analysed for the impact of item
deletion on internal consistency, and measurement items of 0.708 and above were
automatically retained.
Table 5-7 presents the initial outer loadings of the measurement items associated with
each construct. Measurement items with values lower than the recommended 0.708
are highlighted in bold.
Table 5-7 Initial outer loadings of the measurement items
Item association Initial outer loadings
Process- versus results-oriented organisational culture
OC_PR1 OC_PR2 OC_PR3 OC_PR4 OC_PR5
-0.104 0.537 0.760 0.764
-0.597 Employee- versus job-oriented organisational culture
OC_EJ1 OC_EJ2 OC_EJ3 OC_EJ4 OC_EJ5 OC_EJ6 OC_EJ7 OC_EJ8
0.062 0.802 0.725 0.782 0.254 0.656 0.813 0.659
Open versus closed system organisational culture
OC_OC1 OC_OC2 OC_OC3 OC_OC4
0.804 0.796 0.754 0.491
Tightly versus loosely controlled organisational culture
OC_TL1 OC_TL2 OC_TL3
0.539 0.508 0.767
82
OC_TL4 OC_TL5 OC_TL6 OC_TL7
0.685 0.076 0.115 0.568
Senior management support
SMS1 SMS2 SMS3 SMS4 SMS5 SMS6
0.813 0.862 0.882 0.937 0.901 0.900
Training & awareness campaigns
ISTA1 ISTA2 ISTA3 ISTA4 ISTA5 ISTA6
0.785 0.847 0.800 0.844 0.867 0.769
Interpersonal trust
Trust1 Trust2 Trust3 Trust4 Trust5
0.747 0.810 0.867 0.903 0.855
Information security policy
ISP1 ISP2 ISP3
0.891 0.897 0.887
Information security culture
ISC1 ISC2 ISC3 ISC4 ISC5 ISC6
0.820 0.841 0.833 0.805 0.748 0.707
Two low loading measurement items for process- versus results-oriented
organisational culture were removed as the outer loadings were below 0.400: OC_PR1
(-0.104) and OC_PR5 (-0.597). Whilst OC_PR5 was included in the measures of this
dimension of organisational culture used by Verbeke (2000) and Cadden et al. (2013),
83
the Likert scale version used in this study appeared to be problematic for the
participants to understand, and the more descriptive anchor points used by Verbeke
(2000) are recommended for future studies of this kind. The other low loading
measurement item, OC_PR2 (0.537), was retained because the AVE (0.543) of the
construct was already above 0.5, and the item adds to the content validity of the
measurement scale. The measurement item in question relates to the measurement of
employee behaviour in a team environment.
Employee- versus job-oriented organisational culture had two measurement items with
outer loadings of less than 0.4 (OC_EJ1 and OC_EJ5). These items were removed.
OC_EJ6 (0.656) and OC_EJ8 (0.659) were retained because removal of these
measurement items had no effect on AVE or CR, and also their removal may have had
a negative influence on the content validity of the measurement scale.
The measurement item OC_OC4 from open versus closed system organisational
culture was considered for removal as its outer loading was 0.461. This item relates to
employees’ privacy in the work place, and it was retained because its removal had no
effect on AVE or CR and AVE and also may have impacted on the content validity of
the measurement scale.
Two low loading measurement items for tightly versus loosely controlled
organisational culture were deleted as they were below 0.400: OC_TL5 (0.076) and
OC_TL6 (0.115). Two further low loading measurement items, OC_TL1 (0.539) and
OC_TL2 (0.508), were removed to improve AVE (from 0.278 to 0.504). The other
low loading measurement item, OC_TL7 (0.568), was retained because the AVE value
of the construct in question was satisfactory after removing OC_TL1 and OC_TL2 and
retaining the items would help maintain the content validity of the measurement scale.
As seen in Table 5-7 the outer loadings for all of the measurement items of senior
management support, training & awareness campaigns, interpersonal trust, and
information security policy were above 0.708. Therefore, all measurement items of
these constructs were retained.
84
The information security culture measurement item ISC6 (0.707) was retained as its
outer loading value was close to the recommended value of 0.708 (Hair et al., 2017),
and item retention lends to the content validity of the measurement scale. The item in
question relates to information security as a shared norm in organisations. The final
outer loadings obtained for the measurement items associated with each of the
constructs are presented in Table 5-8 and Figure 5-1.
Table 5-8 Final outer loadings for each construct
Item
association
Final outer
loadings
Sample
mean Std. dev. t statistics
Process- versus results-oriented organisational culture
OC_PR2 OC_PR3 OC_PR4
0.584 0.556 0.143 4.035*** 0.834 0.828 0.061 13.956*** 0.752 0.742 0.080 10.644***
Employee- versus job-oriented organisational culture
OC_EJ2 OC_EJ3 OC_EJ4 OC_EJ6 OC_EJ7 OC_EJ8
0.804 0.803 0.030 28.895*** 0.724 0.723 0.048 14.411*** 0.783 0.783 0.032 23.875*** 0.664 0.661 0.057 11.670*** 0.815 0.811 0.034 24.915*** 0.658 0.653 0.060 10.606***
Open versus closed system organisational culture
OC_OC1 OC_OC2 OC_OC3 OC_OC4
0.804 0.798 0.047 16.831*** 0.796 0.791 0.053 15.456*** 0.754 0.746 0.068 11.334*** 0.492 0.480 0.119 4.376***
Tightly versus loosely controlled organisational culture
OC_TL3 OC_TL4 OC_TL7
0.806 0.753 0.146 5.614*** 0.731 0.681 0.196 3.744*** 0.573 0.537 0.255 2.263*
Senior management support
SMS1 SMS2 SMS4 SMS5 SMS6
0.819 0.817 0.046 18.306*** 0.853 0.851 0.033 25.515*** 0.938 0.938 0.013 73.189*** 0.910 0.910 0.019 47.559*** 0.912 0.912 0.016 53.375***
85
Training & awareness campaigns
ISTA1 ISTA2 ISTA3 ISTA4 ISTA5 ISTA6
0.785 0.783 0.034 23.915*** 0.847 0.846 0.025 33.579*** 0.800 0.801 0.030 25.800*** 0.844 0.843 0.027 32.050*** 0.867 0.867 0.023 37.379*** 0.769 0.768 0.039 18.755***
Interpersonal trust
Trust1 Trust2 Trust3 Trust4 Trust5
0.748 0.746 0.043 16.953*** 0.810 0.809 0.039 21.257*** 0.867 0.865 0.024 37.543*** 0.903 0.899 0.023 39.603*** 0.855 0.852 0.031 27.649***
Information security policy
ISP1 ISP2 ISP3
0.891 0.891 0.021 40.337*** 0.897 0.897 0.018 51.855*** 0.887 0.884 0.032 28.331***
Information security culture
ISC1 ISC2 ISC3 ISC4 ISC5 ISC6
0.820 0.819 0.029 28.399*** 0.841 0.840 0.028 30.059*** 0.832 0.831 0.035 23.307*** 0.805 0.804 0.037 28.406*** 0.739 0.738 0.047 16.314*** 0.708 0.707 0.065 10.998***
***p < 0.001, **p < 0.01, *p < 0.05
87
CV was also assessed using AVE. AVE is the average amount of variance in the
measurement items that is accounted for by the construct. AVE of each construct
should be at least 0.5 to establish CV (Hair et al., 2017). The final AVE for all
constructs was above the minimum threshold value of 0.5 (see Table 5-9).
Table 5-9 Construct AVE and final CR
Construct AVE CR
Process- versus results-oriented organisational
culture
0.534 0.771
Employee-versus job-oriented organisational
culture
0.554 0.881
Open versus closed system organisational
culture
0.523 0.809
Tightly versus loosely controlled organisational
culture
0.504 0.749
Senior management support 0.788 0.949
Training & awareness campaigns 0.671 0.924
Interpersonal trust 0.702 0.921
Information security policy 0.795 0.921
Information security culture 0.628 0.910
Information security behaviour* - - * As a composite variable was used to represent information security behaviour, AVE was not computed.
5.3.1.3 Discriminant validity
DV refers to the extent to which a construct is truly a unique from other constructs and
it captures phenomena that are not represented by other constructs in the PLS model.
DV was assessed using three different approaches (item cross loadings, Fornell-
Larcker criterion, and HTMT ratio) as described in Section 4.8.1.3.
88
In the item cross loading approach, the loadings of the measurement items of a
construct on the associated construct are examined. DV is established if the loadings
of the measurement items of a construct are greater than any of the cross-loadings on
other constructs (Hair et al., 2017). As shown in Table 5-10, all measurement items
were found to load higher on their own construct than any other constructs, indicating
that each construct was distinct from all other constructs in the PLS path model.
Therefore, DV established using the item cross loading approach.
When using the Fornell-Larcker criterion, DV is established if the square root of each
construct’s AVE is greater than its correlations with any of the other constructs (Hair
et al., 2017). The square root of each construct’s AVE is represented in bold along the
diagonal in Table 5-11, and the other values represent its correlations with the other
constructs. DV was found to be established as the square root of each construct’s AVE
is larger than its correlation with any other construct.
In the HTMT ratio approach, the HTMT values for all pairs of constructs are examined
against the maximum threshold value of 0.85 (Hair et al., 2017). As can be seen in
Table 5-12 all HTMT values for all pairs of constructs were below the maximum
threshold value (0.85). Therefore, DV using this approach was considered established.
In addition to the HTMT ratio approach, DV was further confirmed using confidence
intervals of HTMT. In this approach, the lower bound (2.5%) and upper bound (97.5%)
of the 95% (bias-corrected and accelerated) confidence interval were obtained using
PLS-SEM. They were then examined to see whether they included the value 1, which
would indicate a lack of DV (Hair et al., 2017). None of the confidence intervals
included the value 1, further confirming the results of HTMT ratio approach.
Overall, based on the results of all three approaches (item cross loading, Fornell-
Larcker criterion, and HTMT ratio) DV of the constructs established for the
measurement model.
89
Table 5-10 Measurement item cross loadings Process- vs
results-oriented
organisational culture
Employee- vs job-
oriented organisational
culture
Open vs closed system organisational
culture
Tightly vs loosely
controlled organisational
culture
Senior management
support
Training & awareness campaigns
Interpersonal trust
Information security policy
Information security culture
OC_PR2 0.584 -0.284 -0.088 -0.211 -0.009 0.012 0.120 0.010 -0.107 OC_PR3 0.834 -0.313 -0.152 -0.033 -0.169 -0.147 -0.264 -0.075 -0.362 OC_PR4 0.752 -0.352 -0.221 -0.239 -0.340 -0.225 -0.211 -0.151 -0.310 OC_EJ2 -0.406 0.804 0.333 0.010 0.202 0.174 0.100 0.084 0.420 OC_EJ3 -0.300 0.724 0.329 0.142 0.301 0.314 0.156 0.168 0.335 OC_EJ4 -0.353 0.783 0.481 0.160 0.270 0.300 0.123 0.117 0.400 OC_EJ6 -0.246 0.664 0.316 0.066 0.223 0.195 0.103 0.128 0.294 OC_EJ7 -0.315 0.815 0.501 0.122 0.195 0.229 0.115 0.235 0.314 OC_EJ8 -0.216 0.658 0.468 0.030 0.270 0.276 0.063 0.128 0.234 OC_OC1 -0.249 0.472 0.804 0.042 0.323 0.235 0.056 0.195 0.277 OC_OC2 -0.174 0.385 0.796 0.056 0.359 0.282 0.056 0.165 0.269 OC_OC3 -0.194 0.395 0.754 0.116 0.269 0.200 0.114 0.189 0.255 OC_OC4 -0.071 0.277 0.492 0.113 0.150 0.141 -0.123 0.166 0.138 OC_TL3 -0.068 -0.119 0.029 0.806 0.178 0.146 0.009 0.167 0.155 OC_TL4 -0.284 0.253 0.169 0.731 0.084 0.116 0.169 0.087 0.144 OC_TL7 -0.013 0.159 0.011 0.573 0.099 0.218 -0.067 0.113 0.106 SMS1 -0.249 0.266 0.333 0.068 0.813 0.368 0.103 0.283 0.388 SMS2 -0.192 0.267 0.406 0.141 0.862 0.442 0.092 0.318 0.395 SMS4 -0.294 0.306 0.326 0.194 0.937 0.541 0.152 0.420 0.550 SMS5 -0.262 0.332 0.399 0.137 0.901 0.522 0.191 0.304 0.503 SMS6 -0.285 0.325 0.337 0.183 0.900 0.569 0.169 0.372 0.537 ISTA1 -0.134 0.257 0.262 0.113 0.533 0.785 0.232 0.472 0.437 ISTA2 -0.153 0.276 0.242 0.103 0.532 0.847 0.272 0.497 0.529 ISTA3 -0.184 0.297 0.253 0.200 0.384 0.800 0.170 0.511 0.469 ISTA4 -0.194 0.280 0.264 0.247 0.464 0.844 0.116 0.500 0.466 ISTA5 -0.210 0.285 0.236 0.217 0.415 0.867 0.209 0.482 0.457 ISTA6 -0.121 0.208 0.236 0.187 0.376 0.769 0.241 0.487 0.379 Trust1 -0.239 0.073 0.085 0.058 0.205 0.235 0.748 0.111 0.308 Trust2 -0.265 0.132 0.028 0.017 0.227 0.289 0.810 0.303 0.386 Trust3 -0.305 0.173 0.089 0.094 0.116 0.206 0.867 0.208 0.364 Trust4 -0.186 0.100 0.011 0.052 0.065 0.131 0.903 0.110 0.293 Trust5 -0.200 0.138 0.041 0.047 0.089 0.168 0.855 0.150 0.306 ISP1 -0.044 0.244 0.236 0.089 0.354 0.574 0.199 0.891 0.408 ISP2 -0.211 0.129 0.224 0.163 0.370 0.510 0.245 0.897 0.427 ISP3 -0.058 0.120 0.184 0.223 0.324 0.518 0.132 0.887 0.338 ISC1 -0.318 0.356 0.241 0.158 0.468 0.451 0.387 0.371 0.820 ISC2 -0.370 0.376 0.296 0.162 0.479 0.521 0.407 0.499 0.841 ISC3 -0.352 0.361 0.327 0.137 0.522 0.513 0.348 0.447 0.832 ISC4 -0.320 0.375 0.284 0.162 0.386 0.396 0.269 0.248 0.805 ISC5 -0.266 0.404 0.163 0.113 0.375 0.455 0.241 0.248 0.739 ISC6 -0.247 0.320 0.271 0.194 0.290 0.284 0.204 0.207 0.708
90 Table 5-11 Fornell-Larcker criterion for constructs
Process- vs
results-oriented organisational
culture
Employee- vs
job-oriented organisational
culture
Open vs
closed system
organisational culture
Tightly vs loosely
controlled organisational
culture
Senior m
anagement
support
Training &
awareness
campaigns
Interpersonal trust
Information
security policy
Information
security culture
Process- vs results-oriented organisational culture
0.731
Employee- vs job- oriented
organisational culture -0.423
0.744
Open vs closed system
organisational culture
-0.223 0.536
0.723
Tightly vs loosely controlled organisational culture
-0.182 0.120
0.103 0.710
Senior managem
ent support -0.292
0.339 0.402
0.168 0.887
Training & aw
areness campaigns
-0.204 0.328
0.303 0.215
0.559 0.819
Interpersonal trust -0.291
0.150 0.062
0.064 0.173
0.252 0.838
Information security policy
-0.122 0.187
0.243 0.173
0.387 0.599
0.220 0.892
Information security culture
-0.399 0.459
0.335 0.192
0.543 0.561
0.402 0.442
0.792
91 Table 5-12 H
TMT ratio
Process- vs results-oriented organisational
culture
Employee- vs
job-oriented organisational
culture
Open vs closed
system
organisational culture
Tightly vs loosely
controlled organisational
culture
Senior M
anagement
Support
Training &
aw
areness cam
paigns Interpersonal trust
Information
security policy
Information
security culture
Employee- vs job-oriented
organisational culture 0.577
Open vs closed system
organisational culture
0.369 0.710
Tightly vs loosely controlled organisational culture
0.433 0.385
0.227
Senior managem
ent support 0.326
0.388 0.491
0.238
Training & aw
areness campaigns
0.253 0.381
0.378 0.340
0.597
Interpersonal trust 0.356
0.168 0.159
0.188 0.170
0.274
Information security policy
0.164 0.223
0.317 0.266
0.422 0.676
0.233
Information security culture
0.471 0.523
0.418 0.291
0.578 0.676
0.434 0.480
Information security behaviour
0.209 0.137
0.058 0.251
0.309 0.385
0.058 0.336
0.406
92
5.3.1.4 Construct descriptive information
Descriptive statistics for each of the constructs are presented in Table 5-13. The
responses to each of the measurement items used to measure constructs in the final
PLS path model were averaged for each participant.
Table 5-13 Construct summary descriptive statistics
Min Max Mean Std. Dev.
Process- versus results-oriented organisational culture 1 5 2.40/5 1.04
Employee- versus job-oriented organisational culture 1 5 3.33/5 1.15
Open versus closed system organisational culture 1 5 2.64/5 1.02
Tightly versus loosely controlled organisational culture 1 5 3.09/5 1.16
Senior management support 1 7 4.90/7 1.69
Training & awareness campaigns 1 7 3.99/7 1.54
Interpersonal trust 1 7 4.35/7 1.55
Information security policy 1 7 3.98/7 1.85
Information security culture 1 7 4.66/7 1.41
Information security behaviour 1.677 5 3.33/5 0.68
Senior management support had the highest a mean with 4.90 out of 7. This indicates
that the majority of the respondents considered that senior management in their
organisation were aware of information security issues and concerns, and that senior
management provides adequate level of support to information security programs and
initiatives in the organisation.
Information security culture (4.66) had the second highest mean out of 7, which is
followed by interpersonal trust (4.35). The respondents in general considered that their
93
organisations have a relatively positive information security culture, and in general,
the respondents were relatively trusting of one another.
Training & awareness campaigns had a mean of 3.99 (out of 7) and information
security policy 3.98 (out of 7). This signifies that the respondents had some awareness
of information security initiatives in the organisation. Also, the majority of the
respondents reported that their organisation has some kind of rules, guidelines or
policies that regulate the use of computer systems and resources in the workplace.
Information security behaviour had a mean of 3.33 out of 5, and a minimum of 1.67.
This indicates that all respondents were performing at least some information security
behaviours to protect organisational information assets from information security
threats. Employee- versus job-oriented organisational culture also had a mean of 3.33
out of 5. This signifies that government organisations in Bhutan are generally
employee-oriented, where employee’s welfare and support systems are adequately
addressed. The mean levels of the other dimensions of organisation culture were lower:
tightly versus loosely controlled organisational culture (3.09), open versus closed
system organisational culture (2.64) and process-versus results- oriented
organisational culture (2.40).
5.3.2 Structural model evaluation
As discussed in Section 4.8.1.1, the collinearity of the constructs, path coefficients,
total effects, coefficient of determination (R2) , effect size (f2), predictive relevance
(Q2), and predictive relevance effect size (q2) were assessed to evaluate the structural
model.
94
5.3.2.1 Collinearity
Inner VIF values were assessed to determine any potential collinearity among the
constructs in the structural model. As shown in Table 5-14, VIF values of all constructs
were below the recommended value of 5 (Hair et al., 2017). This indicates that none
of the constructs exhibited collinearity with any of the other predictor constructs in the
PLS path model.
Table 5-14 Inner VIF values
Information security culture
Process- versus results-oriented organisational culture 1.364
Employee- versus job-oriented organisational culture 1.675
Open versus closed system organisational culture 1.540
Tightly versus loosely controlled organisational culture 1.076
Senior management support 1.652
Training & awareness campaigns 2.048
Interpersonal trust 1.158
Information security policy 1.603
5.3.2.2 Path coefficients
The path coefficients values were computed running the PLS algorithm with 5000
bootstrap samples at 5% confidence level (two-tailed test). A path coefficient was
assumed significant when the t value was larger than 1.96 at 5% level of significance
(Hair et al., 2017). Path coefficients with values below 0.2 were considered weak, 0.2
to 0.5 were considered moderate and above 0.5 were considered strong (Cohen, 1988).
Six of the nine hypothesised relationships were found to be significant. Figure 5-2
shows the final PLS path model and Table 5-15 presents the path coefficients, t and p
values for the nine hypothesised relationships.
95
As shown in Table 5-15, the relationship between process- versus results-oriented
organisational culture and information security culture was not significant; therefore,
H1 was not supported. This indicates that whether an organisation nurtures a process-
oriented organisational culture or results-oriented organisational culture will not have
any influence on the establishment of an effective information security culture.
Employee- versus job-oriented organisational culture was found to have a moderate
positive influence (0.205) on information security culture. This means that to establish
an effective information security culture, organisations should aim to nurture an
employee-oriented organisational culture rather than a job-oriented organisational
culture. Therefore, H2 was supported. However, neither open versus closed system
organisational culture nor tightly versus loosely controlled organisational culture
influenced information security culture. Therefore, H3 and H4 were not supported.
Senior management support was found to moderately influence the establishment of
an effective information security culture (0.240). Therefore, H5 was supported. This
indicates that having a higher level of senior management support that prioritises
organisational information security in various ways is important to establish an
effective information security culture.
Training & awareness campaigns was found to have moderate positive relationship
with information security culture (0.202). Therefore, H6 was supported. This means
that having information security training and awareness campaigns in place to try to
help improve employees’ information security knowledge and skills, and create
awareness of information security issues, will positively influence information
security culture.
97
Table 5-15 Path coefficients Path
coefficient t
statistics p
value Significant (p < 0.05)
Process- versus results-oriented organisational culture > Information security culture
-0.119 1.897 0.058 No
Employee- versus job-oriented organisational culture > Information security culture
0.205 3.010 0.003 Yes
Open versus closed system organisational culture > Information security culture
-0.006 0.091 0.927 No
Tightly versus loosely controlled organisational culture > Information security culture
0.027 0.485 0.628 No
Senior management support > Information security culture
0.240 2.828 0.005 Yes
Training & awareness campaigns > Information security culture
0.202 2.747 0.006 Yes
Interpersonal trust > Information security culture
0.217 3.635 0.000 Yes
Information security policy > Information security culture
0.125 1.997 0.045 Yes
Information security culture > Information security behaviour
0.386 5.778 0.000 Yes
Interpersonal trust had a moderate positive relationship (0.217) with information
security culture was found to have. Therefore, H7 was supported. This result indicates
that fostering higher levels of employee’s interpersonal trust will help in establishing
an effective information security culture.
A weak positive relationship (0.125) was found between information security policy
and information security culture. Therefore, H8 was supported. This result suggests
that just having only information security policy in the organisation is not enough to
ensure an effective information security culture.
98
Information security culture was found to have a moderate strength relationship with
information security behaviour (0.386). Therefore, H9 was supported. This means that
an effective information security culture is one of the contributors to good information
security behaviour.
Overall, six of the nine hypotheses were supported. A summary of the results of all
hypotheses tested is presented in Table 5-16.
Table 5-16 Summary of hypothesis testing Hypothesis Results
H1 Having a process-oriented organisational culture has a positive influence on information security culture. Not supported
H2 Having an employee-oriented organisational culture has a positive influence on information security culture. Supported
H3 Having an open system organisational culture has a positive influence on information security culture Not supported
H4 Having a tightly controlled organisational culture has a positive influence on information security culture. Not supported
H5 Having support from senior management has a positive influence on information security culture. Supported
H6 Having training & awareness campaigns has a positive influence on information security culture. Supported
H7 Having interpersonal trust has a positive influence on information security culture. Supported
H8 Having information security policy has a positive influence on information security culture. Supported
H9 Having a good information security culture has a positive influence on information security behaviour of employees.
Supported
99
5.3.2.3 Total effects
The total effect of the each of the independent constructs on the dependent constructs
is presented in Table 5-17. Consistent with the path coefficients reported in Section
5.3.2.2, five of the eight dependent constructs had significant total effects on
information security culture and four of these plus information security culture had a
significant total effect on information security behaviour.
Table 5-17 Total effects Information
security culture Information
security behaviour Process- versus results-oriented organisational culture
-0.119 -0.046
Employee- versus job-oriented organisational culture
0.205** -0.079**
Open versus closed system organisational culture
-0.006 -0.002
Tightly versus loosely controlled organisational culture
0.027 -0.011
Senior management support 0.240** -0.093*
Training & awareness campaigns 0.197** -0.078**
Interpersonal trust 0.217*** -0.084**
Information security policy 0.125** -0.048
Information security culture -0.386*** ***p < 0.001, **p < 0.01, *p < 0.05
The largest total effect on information security culture was that of senior management
support (0.240) followed by interpersonal trust (0.217), employee-versus job-oriented
oriented organisational culture (0.205), training & awareness campaigns (0.197).
Information security policy (0.125) had the smallest total effect on information
security culture.
The largest total effect on information security behaviour was information security
culture (0.386), which is not surprising considering it is the only construct with a direct
effect on information security behaviour. Of the other constructs considered, the
100
largest influence on information security behaviour was senior management support
(0.093), followed by interpersonal trust (0.084), employee- versus job-oriented
organisational culture (0.087), and training & awareness campaigns (0.078). Although
information security policy had a small effect on information security culture it did not
have an indirect effect on information security behaviour.
5.3.2.4 Coefficients of determination (R2)
R2 represents the combined effects of all independent constructs on the dependent
construct. R2 indicates predictive accuracy of the PLS path model. Higher R2 (values
ranging from 0 to 1) indicate a higher level of predictive accuracy (Hair et al., 2017).
The R2 values for the PLS path model are presented in Figure 5-2.
The independent constructs explained 53.1% (R2 = 0.531) of the variance in
information security culture. This indicates that the model provides a moderate level
of predictive accuracy for information security culture. However, information security
culture only explained 14.9% (R2 = 0.149) of the variance in information security
behaviour; which is a weak level of predictive accuracy.
5.3.2.5 Effect size (f2)
Effect size (f2) values were examined to find out the level of impact of each of the
independent constructs on the dependent constructs. f2 values of 0.02 were considered
as a small effect, 0.15 as a medium effect, 0.35 as a large effect, and f2 values of less
than 0.02 were considered as having no effect (Cohen, 1988). Table 5-18 shows the
effect size f2 values of independent constructs to their respective dependent construct.
101
Table 5-18 Effect size (f2)
Information
security culture
Information security
behaviour
Process- versus results-oriented organisational culture 0.021
Employee- versus job-oriented organisational culture 0.054
Open versus closed system organisational culture 0.000
Tightly versus loosely controlled organisational culture 0.001
Senior management support 0.074
Training & awareness campaigns 0.042
Interpersonal trust 0.087
Information security policy 0.022
Information security culture 0.175
In regards to information security culture, all of the independent constructs except for
open versus closed system organisational culture and tightly versus loosely controlled
organisational culture was found to have small effects. Amongst the constructs having
small effects on information security culture, interpersonal trust had an effect size of
0.087 followed by senior management support (0.074), employee- versus job-oriented
organisational culture (0.054) and training & awareness campaigns (0.042). Process-
versus results-oriented organisational culture (0.021) and information security policy
(0.022) were found to have the lowest small effect sizes. Information security culture
was found to have a medium sized impact on information security behaviour (f2 =
0.175).
102
5.3.2.6 Predictive relevance (Q2)
Q2 indicates the ability of the path model to accurately predict the collected data
values. As recommended by Hair et al. (2017), Q2 values larger than 0 indicate that
the PLS path model holds predictive relevance for the dependent constructs.
Q2 values for the dependent constructs (information security culture and information
security behaviour) calculated by using the blindfolding procedure in SmartPLS 3.0
(Ringle et al., 2015) are presented in Table 5-19. The results show that the Q2 values
for both of the dependent constructs were greater than zero indicating that the PLS
path model holds predictive relevance for the dependent constructs.
Table 5-19 Predictive relevance (Q2) Q2 Information security behaviour 0.132 Information security culture 0.313
5.3.2.7 Predictive relevance effect size (q2)
Predictive relevance effect size (q2) was assessed to determine the predictive relevance
of each independent construct on the dependent constructs in the PLS path model. The
q2 values were calculated manually using the formula provided in Section 4.8.2.7. q2
values less than 0.02 were considered to indicate small effect sizes, q2 values between
0.02 to 0.35 medium effect sizes, and q2 values of 0.35 and above large effect sizes
(Hair et al., 2017). q2 values for the dependent construct (information security culture)
is presented in Table 5-20.
103
Table 5-20 Predictive relevance effect size (q2) Information
security culture Inference
Process- versus results-oriented organisational culture
0.006 No effect
Employee- versus job-oriented organisational culture 0.023 Medium effect
Open versus closed system organisational culture
-0.001 No effect
Tightly versus loosely controlled organisational culture
0.000 No effect
Senior management support 0.029 Medium effect
Training & awareness campaigns 0.017 Small effect
Interpersonal trust 0.035 Medium effect
Information security policy 0.007 No effect
Interpersonal trust was found to have the largest predictive relevance effect size on
information security culture (q2 = 0.035), followed by senior management support (q2
= 0.029). Employee- versus job-oriented organisational culture (q2 = 0.023) had small
predictive relevance for information security culture, as did training & awareness
campaigns (q2 = 0.017).
Process- versus results-oriented organisational culture, open versus closed system
organisational culture, tightly versus loosely controlled organisational culture, and
information security policy had no predictive relevance for information security
culture.
5.4 Chapter overview
This chapter reported the results of the research study. The chapter started by
presenting descriptive statistics about the participants and their use of technology in
104
the workplace. The participants were found to be representative of the Bhutan civil
service in terms of age, gender but were more highly educated.
A two-step data analysis process was used, which involved first assessing the
measurement model and then the structural model. The measurement model was
evaluated for internal consistency, CV and DV, and several measurement items were
removed to improve these. Then the structural model was evaluated for collinearity,
path coefficients, total effects, coefficients of determination (R2), effect size (f2),
predictive relevance (Q2), and predictive relevance effect size (q2). Overall, the
research model explained a relatively high proportion of the variability in information
security culture (53.1%) but only 14.9% of the variability in information security
behaviour. Six out of the nine hypotheses were supported with senior management
support, training & awareness campaigns, information security policy, interpersonal
trust and employee- versus job- oriented organisational culture found to influence the
establishment of information security culture. Also having an effective information
security culture was found to contribute to good information security behaviour.
The next chapter presents a detailed discussion of the research findings of the study.
105
Chapter 6 Discussion
6.1 Introduction
In the previous chapter the results of the research study are provided. In this chapter
the results obtained in the previous chapter are discussed in detail.
This chapter begins with a detailed discussion of the results of the hypothesis testing.
The research model is then discussed, in particular its explanatory power. This is
followed by a section that discusses progress towards answering the research
questions. The chapter concludes with a summary.
6.2 Discussion of hypotheses
This section discusses the results of the hypotheses testing. As shown in Table 6-1, six
of the nine proposed hypotheses were supported. The table also shows the strength of
the relationships, which range from weak to moderate. The three hypotheses that were
not supported were H1, H2, and H4, and these all relate to dimensions of organisational
culture. These organisational culture dimensions are process-oriented organisational
culture, open system organisational culture, and tightly controlled organisational
culture.
106
Table 6-1 Results of the hypothesis testing with relationship strength
Hypothesis Results Strength H1 Having a process-oriented organisational culture has a positive influence on information security culture.
Not supported
H2 Having an employee-oriented organisational culture has a positive influence on information security culture.
Supported Moderate
H3 Having an open system organisational culture has a positive influence on information security culture.
Not supported
H4 Having a tightly controlled organisational culture has a positive influence on information security culture.
Not supported
H5 Having support from senior management has a positive influence on information security culture.
Supported Moderate
H6 Having training & awareness campaigns has a positive influence on information security culture.
Supported Moderate
H7 Having interpersonal trust has a positive influence on information security culture.
Supported Moderate
H8 Having information security policy has a positive influence on information security culture.
Supported Weak
H9 Having a good information security culture has a positive influence on information security behaviour of employees.
Supported Moderate
6.2.1 Process-oriented organisational culture does not influence
information security culture
The research model proposed that having a process-oriented organisational culture
rather than a results-oriented organisational culture will positively influence the
establishment of an effective information security culture. However, having a process-
oriented organisational culture was not found to influence information security culture
107
(H1). This finding was not in agreement with what was proposed by Tang et al. (2016)
or with the results of Connolly et al. (2016) who found that having a task focus reduced
employee’s compliance with information security policies. However, Chang and Lin
(2007) found that while an organisational culture that focusses on control is conducive
to successful implementation of information security management, excessive control
can indirectly discourage necessary information sharing. Sharing knowledge about
information security is important in establishing an effective information security
culture and may explain the lack of support for this hypothesis. Also, Bavik and
Duncan (2014) noted that different measures of organisational culture vary in their
applicability in different contexts. This research was conducted in government
organisations, which are more constrained in their operations than business
organisation, so it is possible that respondents had a much narrower conception of this
dimension of organisational culture and therefore the variations experienced between
the different government organisations surveyed were too small to observe an effect
on information security culture. Further research is needed to understand the role of
process-versus results-oriented organisational culture.
6.2.2 Having an employee-oriented organisational culture has a
positive influence on information security culture
The research model proposed that that having an employee-oriented organisational
culture has a positive influence on information security culture (H2) and this was
supported. This is consistent with what was proposed by Tang et al. (2016), and with
the qualitative study by Connolly et al. (2016) that found that in organisations with a
people-orientation, employees exhibited stronger security behaviour. That is, when
employees feel more supported, they tend to comply with organisational requirements
(Cadden et al., 2013; Xue, Liang, & Wu, 2011), and this is mediated by information
security culture.
On the other hand, in a job-oriented organisational culture where the organisation is
less supportive, employees have to worry about their welfare and concerns, and at the
same time undertake job responsibilities, this has negative impacts on information
108
security culture, which affects their adherence to the information security policy
requirements. Therefore, nurturing an employee-oriented organisational culture is
important in the establishment of an effective information security culture.
6.2.3 Having an open system organisational culture does not
influence information security culture
Having an open system organisational culture was not found to influence the
establishment of an effective information security culture. Therefore, H3 was not
supported, and this finding is not consistent with what was proposed by Tang et al.
(2016). However, in a study of how organisational culture influences successful
implementation of information security management, Chang and Lin (2007) found that
some dimensions of organisational culture did not have the expected impacts. Their
cooperativeness dimension which had a flexibility orientation and thus is similar to an
open system organisational culture, did not influence successful implementation of
information security management as proposed. Further research is needed to
understand this result.
6.2.4 Having a tightly controlled organisational culture does not
influence information security culture
Having a tightly controlled organisational culture was found not to influence
information security culture, therefore, H4 was not supported. That is, whether the
organisational culture is tightly controlled or loosely controlled does not appear to
influence information security culture. This finding is not in agreement with what was
proposed by Tang et al. (2016). A possible explanation for this is that although this
construct just met the minimum acceptable criteria for internal consistency and
convergent validity, it may not represent this dimension of organisational culture in
government organisations as well as would be desirable. Bavik and Duncan (2014)
drew attention to the fact that different measures of organisational culture vary in their
applicability in different contexts. Further research on measurement of tightly versus
109
loosely controlled organisational culture in this domain should help understand
whether it does play a role in establishing an effective information security culture.
6.2.5 Senior management support has a positive influence on
information security culture
Senior management support was shown to positively influence information security
culture as hypothesised (H5). This finding is consistent with the results of Knapp et al.
(2006), Alnatheer et al. (2012) and Greene and D’Arcy (2010).
Senior management support had the strongest effect on information security culture of
any of the factors considered. This result emphasises the critical role of senior
management in the establishment of an effective information security culture.
Organisations will experience improved information security culture when senior
management consider information security to be a priority and show strong and
consistent commitment towards information security initiatives.
6.2.6 Training & awareness campaigns has a positive influence on
information security culture
As proposed in hypothesis H6, having training & awareness campaigns was found to
be a significant predictor of information security culture. That is, having effective
information security training and awareness campaigns is important for the
establishment of an effective information security culture. This finding is consistent
with the findings of Chen et al. (2015), Da Veiga and Martins (2015), Pierce (2012)
and Alnatheer et al. (2012).
Training & awareness campaigns programs provide employees with the requisite
information security knowledge and awareness needed for proper use of information
systems, compliance with information security policy requirements and handling of
110
information assets. This awareness and knowledge underpin information security
culture.
6.2.7 Interpersonal trust has a positive influence on information
security culture
There has been limited research on the role of interpersonal trust in determining
information security culture, but as interpersonal trust has been shown to lead to
greater knowledge sharing (Chen et al., 2014) and to reduce ambiguity (Weick, 1995),
it was proposed to be important in determining information security culture. As
hypothesised, interpersonal trust positively influences information security culture
(H7). This finding supports the inclusion of interpersonal trust in the framework of
information security culture proposed by Ruighaver et al. (2007) and in the list of
factors potentially influencing information security culture proposed by da Veiga et al.
(2020). This finding also supports research loosely linking interpersonal trust to
performance, both in non-security contexts (Koskosas et al., 2011) and information
security contexts (Dang-Pham et al., 2017), and suggests that this influence is via
information security culture.
As interpersonal trust showed the second strongest relationship with information
security culture of any of the factors considered, it can play a very important role in
the establishment of an effective information security culture.
6.2.8 Information security policy has a positive influence on
information security culture
Hypothesis H8 proposed that having good information security policy has a positive
influence on the establishment of an effective information security culture and was
supported. The result is agreement with the findings of da Veiga (2015a, 2016) and da
Veiga and Martins (2017) who investigated the influence of information security
111
policies on information security culture via a series of assessment across eight years
and 12 countries.
This result provides evidence that having information security policies is a crucial
information security requirement that must be in place for the establishment of an
effective information security culture. Organisations should have appropriate
information security policies so that employees are made aware of what is expected
from them in regards to information security. Information security policies help
communicate organisational information security objectives, values and beliefs to
support the establishment of an effective information security culture.
6.2.9 An effective information security culture has a positive
influence on information security behaviour
The research model proposes that having an effective information security culture will
positively influence information security behaviour (H9). This hypothesis was
supported and this finding is consistent with the findings of Parsons et al. (2015),
AlKalbani et al. (2015) and D’Arcy and Greene (2009).
The result provides evidence to support that establishing an effective information
security culture does help improve employees’ information security behaviour. The
study also demonstrated that information security policy, training & awareness
campaigns, employee- versus job-oriented organisational culture, interpersonal trust,
and senior management support contribute to improving information security
behaviour via information security culture. However, the relationship between
information security culture and information security behaviour was relatively weak
and only 14.9% of the variability in information security behaviour was explained,
suggesting that other factors are also important in improving information security
behaviour. These might include behavioural intention (Farooq, Ndiege, & Isoaho,
2019; Yoon, Hwang, & Kim, 2019), information security habits (Yoon et al., 2019),
112
and conscientiousness (personality traits) and ability to control impulsivity (Pattinson,
Butavicius, Parsons, McCormac, & Calic, 2015).
6.3 Model discussion
As presented in Section 1.3, the aim of the study is to determine the factors that
influence the establishment of an effective information security culture, and to
understand the relationship between information security culture and information
security behaviour in government organisations in Bhutan.
The research model as presented in Section 3.4 was self-developed based on the
literature review presented in Section 2.5 and Section 2.5.6. The model includes key
factors identified as potentially influencing information security culture and proposes
that information security culture influences information security behaviour.
Table 6-2 shows the reported R2 values for a number of relevant studies that tested
models related to information security culture and information security behaviour. The
model explained 53.1% variability in information security culture and 14.9%
variability in information security behaviour. This indicates that the research model
explained relatively high portion of variability in information security culture and
weak level of variability in information security behaviour, when compared to the
following studies.
113
Table 6-2 R2 values in information security studies
Study
R2 value Information
Security Culture
Information Security
Behaviour
Policy Compliance
Intention
Nasir et al. (2020) 57%
Nasir, Arshah, and Ab Hamid (2019) 44.9%
Glaspie (2018) 86.31%
Rocha Flores and Ekstedt (2016) 27% 42%
AlKalbani et al. (2015) 48%
Parsons et al. (2015) 9%
Chen et al. (2015) 37%
D'Arcy and Greene (2014) 45%
Yoon et al. (2019) 39%
The model provides valuable explanatory power to understand the role of potential
factors in establishing an effective information security culture. However, the weak
explanatory power of information security behaviour could be increased by examining
other factors that were not considered in the study. These include information security
behavioural intentions (Farooq et al., 2019; Yoon et al., 2019), information security
habits (Yoon et al., 2019), and conscientiousness (personality trait) and ability to
control impulsivity (Pattinson et al., 2015).
The results of the study show that employee-oriented organisational culture, senior
management support, training & awareness campaigns, interpersonal trust, and
information security policy are positively associated with information security culture;
that is, these factors contribute to the establishment of an effective information security
culture. Of these factors, senior management support has the largest influence on
information security culture, and this is followed by interpersonal trust, employee-
versus job-oriented organisational culture, and training & awareness campaigns
respectively. The study also showed that all of these factors, except information
security policy, have an indirect influence on information security behaviour via
information security culture. The other dimensions of organisational culture (process-
114
versus results-oriented organisational culture, open versus closed system
organisational culture and tightly versus loosely controlled organisational culture) did
not however have any influence on information security culture.
The following section discusses progress towards answering the research questions of
the study.
6.4 Discussion of the research questions
Section 1.3 presented the research questions to be answered in this research. This
section discusses the progress of the study towards answering them in order to address
the research aim.
The first research question for the thesis was:
RQ1: What factors influence the information security culture of government
organisations in Bhutan?
The study investigated dimensions of organisational culture (process- versus results-
oriented, employee- versus job-oriented, open versus closed system, tightly versus
loosely controlled), senior management support, training & awareness campaigns,
interpersonal trust, and information security policy as potential factors influencing
information security culture. H1 to H8 all relate to answering this research question.
All of the factors investigated except for three dimensions of organisational culture
(process- versus results-oriented, open versus closed system, tightly versus loosely
controlled) were found to influence information security culture.
The results showed that senior management support and interpersonal trust have the
largest direct effect on information security culture. This indicates that senior
management must provide higher levels of support and commitment towards
information security initiatives. Also, employees must be supported to build good
interpersonal relationships that nurture higher level of interpersonal trust.
115
Employee- versus job-oriented organisational culture, and training & awareness
campaigns were also found to influence the establishment of information security
culture. Specifically, employee-oriented organisational culture has a positive effect on
information security culture, and so does training & awareness campaigns. This
finding indicates that an employee-oriented organisational culture must be nurtured
where employees’ welfare is taken care of, and employees are motivated to comply to
information security requirements. Also having good information security training and
awareness campaigns will help organisations communicate their information security
strategies and requirements to their employees, which will positively influence
information security culture. Information security policy was found to have a weak
positive effect on information security culture, which indicates that information
security policy does contribute to the establishment of an effective information
security culture. However, because the effect is weak, its relationship with other
factors that influence information security culture should be investigated to determine
if its effect is mediated by factors that influence information security culture (e.g.,
training & awareness campaigns and senior management support).
On other hand, whether the organisational culture is process- or results-oriented was
not found to influence information security culture, and neither did whether it is tightly
or loosely controlled organisational culture.
The second research question for the thesis was:
RQ2: How does information security culture influence the information security
behaviour of government employees in Bhutan?
H9 was associated with this research question. The study found that having an effective
information security culture has a moderate positive influence on employees’
information security behaviour. This means that when information security culture
improves, employees’ behaviour with regards to information security will also
improve. Therefore, to cultivate good information security behaviour of employees it
is important that organisations examine and try to improve their information security
culture.
116
Except for the three dimensions of organisational culture and information security
policy (as mentioned above in RQ1) other factors considered in the study were found
to have an indirect positive influence on the information security behaviour, which is
mediated via information security culture.
6.5 Chapter overview
This chapter discussed the results of the study. First, there was a discussion of the
results of the testing of each of the hypotheses, with six out of the nine hypotheses
were supported. Identifying the role of interpersonal trust is particularly valuable as it
extends the work of Dang-Pham et al. (2017) and clarifies the importance of
interpersonal trust in establishing an effective information security culture, and
through that good information security behaviour.
The explanatory power of the research model was compared with that of other models
used in studies on information security culture, and the model was found to explain
the variance in information security culture well compared to other studies. However,
it has relatively weak power to in explaining variance in information security
behaviour.
Progress towards answering the research questions was discussed, with the following
factors confirmed as influencing information security culture: employee- versus job-
oriented organisational culture, senior management support, training & awareness
campaigns, interpersonal trust, and information security policy. Also having an
effective information security culture was found to positively influence information
security behaviour of employees, answering RQ2.
The final chapter discusses the study in terms of its research and practical implications,
and its limitations, and then the chapter provides recommendations for future research.
117
Chapter 7 Conclusion
7.1 Introduction
In the previous chapter the results obtained from the data analysis are discussed in
detail. This chapter summarises the contribution of this study to research and practice.
The chapter begins with a summary of the overall findings of the study, which is
followed by a discussion of the implications for research. This is followed by a section
discussing implications for practice. The chapter then presents the limitations of the
study and provides recommendations for future research.
7.2 Summary of findings
The aim of the research study was to determine the factors that influence the
establishment of an effective information security culture, and to understand the
relationship between information security culture and information security behaviour
in government organisations in Bhutan. The research aim was addressed by answering
two research questions as presented in Section 1.3. These research questions were
answered by testing the research model, which was presented in Section 3.4.
The research model has nine hypotheses and was tested using responses collected from
181 participants. The results show that six of the nine proposed hypotheses were
supported. Also, the model explained 53.1% of the variation in information security
culture and 14.9% of the variability in information security behaviour.
The study identified key factors that influence the establishment of an effective
information security culture. These factors are employee-versus job-oriented
organisational culture, senior management support, training & awareness campaigns,
118
interpersonal trust, and information security policy. Of these factors, senior
management support and interpersonal trust were found to have the largest effect on
information security culture, followed by employee-versus job-oriented organisational
culture, and training & awareness campaigns respectively. Also, information security
policy was found to have a weak positive effect on information security culture. The
study also found that process- versus result-oriented organisational culture, open
versus closed system organisational culture and tightly versus loosely controlled
organisational culture have no influence on information security culture. Lastly, the
study also found that improving organisational information security culture will have
a positive effect on information security behaviour.
7.3 Implications for research
This study has implications for information security research. Firstly, there has been
limited research that has investigated the role of interpersonal trust in the establishment
of an effective information security culture. This study, therefore, provides support for
the importance of interpersonal trust in improving information security culture in
organisations. It also provides a basis for future research on interpersonal trust as a
contributor to an effective information security culture.
Secondly, the study found that Hofstede’s organisational culture dimensions (Hofstede
et al., 1990) have little effect on information security culture. Only the employee-
versus job-oriented organisational culture dimension was found to influence
information security culture, with employee-oriented organisations having better
information security culture. Therefore, focussing on changing organisational culture
to improve information security behaviour may not be the most effective approach.
Thirdly, there have been limited information security studies which measure the direct
effect of information security culture on information security behaviour. Most
previous information security studies have investigated the effect of information
security culture on compliance intention rather than information security behaviour.
119
The study found that that information security culture has a substantial effect on
information security behaviour. This study, therefore, addresses this research gap and
adds to knowledge about the role of information security culture in improving security
behaviour.
This research also addresses the need for more information security culture research
in developing countries to understand whether the findings from studies in developed
countries apply more broadly. Since the research described in this thesis was
undertaken in Bhutan and the findings are largely as hypothesised based on results
obtained from studies in developed countries, this study provides evidence that the
factors that influence information security culture are broadly applicable across
countries. For example, employee-oriented organisational culture (e.g., Connolly et
al., 2016), senior management support (e.g., Greene & D’Arcy, 2010), training and
awareness campaigns (e.g., Pierce, 2012), and information security policy (e.g.,
Acuña, 2018) were proposed or identified as factors influencing information security
culture in developed countries in the literature review, and have been found to be
important determinants of information security culture in this study in a developing
country.
Lastly, the only previous information security related study undertaken in Bhutan
context was conducted by Choejey et al. (2017). This study therefore addresses the
lack of previous research in the Bhutan context, and the outcomes can be used as a
reference point for future research in Bhutan on aspects of information security.
7.4 Implications for practice
The findings of this study will help information security practitioners and policy
makers to better understand critical factors that influence information security culture.
This understanding will enable them to develop information security strategies and
programs to establish an effective information security culture. Specifically, the
findings will help government leaders and policy makers in Bhutan and other
120
developing countries to embed good information security policy in their organisations.
It will also encourage the development of information security strategies and programs
to improve the information security culture in government organisations in Bhutan and
other developing countries.
Senior management support had the biggest effect of any of the factors that were
considered. Therefore, targeting it is important, that is ensuring that senior
management understand the importance of information security and fully support
initiatives to improve it. This support must also be very visible to employees.
Another important consideration is interpersonal trust, which was found to have the
second biggest effect on information security culture. This indicates that management
and policy makers in organisations should aim to implement strategies and develop
programs targeted to foster higher levels of interpersonal trust. For example,
organisations could establish human resource practices that value strengthening team
reliance and interdependence, where employees are provided with interdependent
tasks and workload sharing. Other ways to foster higher levels of interpersonal trust
include offering group rewards, introducing collective responsibility and team
competency development. Development of employee team competency through
training, creating opportunities or platforms for interaction and improving employee
cooperation can also help foster interpersonal trust (Bulińska-Stangrecka &
Bagieńska, 2018). Developing countries have less investment funding to establish
these training programs and platforms but this research demonstrates how important it
is to have training programs in the workplace (Choejey et al., 2016).
Information security policy only had a weak effect on information security culture. It
was also found that just having information security policy in the organisation did not
improve the information security behaviour of the employees. This indicates that the
relationship between information security policy and information security culture may
be mediated by other factors; for example, information security training and policy
enforcement (Chen et al., 2015). Therefore, management, policy makers, and
information security practitioners must ensure that an adequate level of information
121
security training and awareness campaigns is provided to employees, and that
information security policies are effectively enforced to ensure compliance.
Overall, organisational culture was found to have little effect on information security
culture. However, having an employee-oriented organisational culture was found to
improve information security culture. This suggests that management should
encourage the establishment of an employee-oriented organisational culture. To foster
an employee-oriented organisational culture, management should develop strategies
and policies where employees’ concerns about wellbeing and welfare are addressed
by the organisation. For example, policies and programs should support employees’
personal development and education/training goals, address health and wellbeing, and
deal with issues related to work pressure.
7.5 Limitations of the research
The research study had a few limitations, which should be addressed in research that
builds on this study. Firstly, the data was collected using online questionnaires and
there may be an over representation of respondents from certain geographical
locations, particularly the capital city, Thimphu, where internet access is more reliable
and answering an online questionnaire is not an issue. However, government
employees in more remote regional areas may not have had reliable Internet
connectivity, making it more difficult to answer the online questionnaire. As a result,
the participants may not fully represent the population of interest.
Secondly, the research data was collected at a single point in time. As such, the
relationships that were identified may change in future, and additional research using
longitudinal studies would add value. This will ensure that the factors focussed on
when trying to improve information security culture are current and relevant.
Lastly, the number of items in the questionnaire was large. This resulted in some
participants not completing the full questionnaire, reducing the number of valid
122
responses that could be used in the analysis. This could potentially have reduced the
generalisability of the results.
7.6 Recommendations for future research
This thesis provides a basis for future research on information security culture.
Recommendations for future research that build on this study are presented below.
The proposed model explained the variance in the information security culture much
better than it explained information security behaviour. Therefore, future research
should consider what other factors might directly influence information security
behaviour. These could include threat appraisal and coping appraisal factors associated
with Protection Motivation Theory (PMT) (Rogers, 1983), and factors that have been
investigated in studies that extend models such as PMT. These could include
information security habits (Yoon et al., 2019), and conscientiousness and ability to
control impulsivity (Pattinson et al., 2015). For example, Yoon et al. (2019) found that
habit had a larger impact on information security behaviour than behavioural intention,
and the results of Pattinson et al. (2015) suggest that employees who are more
conscientious and have a higher level of ability to control impulsiveness are likely to
exhibit less risky information security behaviour. Therefore, future research could
investigate the effects of these factors on information security behaviour.
Future research should also investigate the influence of other factors on the
establishment of an effective information security culture. These factors could include
national culture (da Veiga et al., 2020; Govender et al., 2016), policy enforcement
(Alnatheer et al., 2012) and security monitoring (Chen et al., 2015). Several authors
have identified national culture as being potentially important in determining
information security culture, but more research is needed to understand its role.
The effect of information security policy on information security culture was found to
be weak in the current study, and also security policy did not influence information
123
security behaviour. A possible explanation for this could be that the effect of
information security policy may be mediated by other factors; for example, policy
enforcement as highlighted by Alnatheer et al. (2012). Chen et al. (2015) stated that
having an information security policy alone does not ensure that it will be adhered to,
therefore, future research should investigate the role of information policy
enforcement on information security culture.
Another factor that could potentially influence the establishment of an effective
information security culture is monitoring of information security behaviour and
policy compliance. Investigating this factor in future studies will help provide a better
understanding of how information security monitoring in conjunction with training
and awareness campaigns and other factors can help in developing an effective
information security culture.
125 A
ppendix A
Summ
ary of
research investigating
factors that
influence inform
ation
security culture
Author &
Year
Objective or aim
K
ey findings
Alnatheer et al. (2012)
To develop and test an information
security culture model.
Top managem
ent involvement, policy enforcem
ent and training were
confirmed as factors contributing to good inform
ation security culture.
Chen et al. (2015) To study the im
pacts of com
prehensive information security
programs on inform
ation security culture.
Security education, training and awareness (SETA
) programs and security
monitoring positively influenced inform
ation security culture.
D'A
rcy and Greene
(2014) To assess the im
pact of information
security culture and organisational factors (job satisfaction and perceived organisational support) on users’ inform
ation security com
pliance intention.
Top managem
ent comm
itment, security com
munication, and com
puter m
onitoring all influenced information security culture, and inform
ation security culture w
as found to have a positive influence on information security
compliance behaviour.
da Veiga (2015a)
To determine the effect of
awareness of inform
ation security policy on the establishm
ent of good inform
ation security culture.
Employees w
ho had read the information security policy exhibited higher
levels of information security culture than those w
ho had not. Employees’
awareness and know
ledge of information security policy positively influenced
information security culture.
126 da V
eiga (2015b) To define an approach to im
plementing inform
ation security training and aw
areness efforts to instil positive inform
ation security culture.
The training and awareness approach (ISTA
AP) im
proved the information
security culture of the case study organisation.
da Veiga (2016)
To determine the role of
information security policy in
creating an effective information
security culture.
Reading information security policy has a positive im
pact on information
security culture.
(Da V
eiga & M
artins, 2015)
To determine w
hether information
security culture can be improved by
using information security culture
assessment (ISCA
) and im
plementing recom
mendations
from it.
Implem
entation of the ISCA tool w
as found to improve inform
ation security culture.
da Veiga et al. (2020)
To provide an integrated view of
the information security culture
concept that can be used to improve
information security culture.
Information security training and aw
areness, information security policy, and
mutual trust w
ere identified as some im
portant factors necessary to improve
information security culture.
127 D
ang-Pham et al.
(2017)
To investigate the role of interpersonal influence on inform
ation security behaviour in the w
orkplace.
Employees w
ho are trusted positively influence the security behaviour of others.
Knapp et al. (2006)
To investigate the influence of senior m
anagement support on
information security culture.
Senior managem
ent support was found to positively influence inform
ation security culture.
Masrek et al. (2018)
To identify important factors
perceived as important for
developing information security
culture in Malaysian public
organisations.
Managem
ent support, policy and procedures, and awareness w
ere found to be im
portant factors in developing an effective information security culture.
Martins and da V
eiga (2015)
To develop and test an information
security culture model.
Managem
ent, policies, compliance, and aw
areness were found to contribute to
information security culture.
Nasir, A
rshah, and Ab
Ham
id (2019) To test a m
odel of information
security culture and determine the
influence of information security
culture on employees’ security
compliance behaviour.
Seven dimensions w
ere found to contribute to information security culture and
information security culture significantly influenced the inform
ation security com
pliance behaviour of employees.
128 Parsons et al. (2015)
To examine the relationship
between inform
ation security culture and inform
ation security decision m
aking.
Improving the inform
ation security culture of organisations was show
n to positively influence the inform
ation security behaviour of employees.
Tamjidyam
cholo et al. (2013)
To investigate factors that affect intention of inform
ation security professionals to share know
ledge.
Three aspects of trust (trust in the people in the comm
unity, trust in the inform
ation security knowledge that w
as shared, and trust in the security of the virtual com
munity) that contributed to overall trust positively influenced
attitude to security knowledge sharing.
Tang et al. (2016) To explore and understand relationships betw
een dimensions
of organisational culture and inform
ation security culture.
Proposed potential relationships between dim
ensions of organisational culture and inform
ation security culture.
Wiley et al. (2020)
To investigate the relationship betw
een organisational culture, security culture, and inform
ation security aw
areness.
Organisational culture w
as found to significantly influence information
security culture, and security culture to mediate the relationship betw
een organisational culture and inform
ation security awareness.
133
Appendix D Questionnaire
Background Information
2. Which is your gender?
Male
Female
3. How old are you?
4. What is the highest level of education you have completed?
5. Which organisation do you currently work for?
6. What is your designation and position level? (e.g Sr. Program Officer and P3)
7. Please select the field in which you are currently employed
8. How many years have you been employed in the civil service?
9. Do you use laptops and/or computers in your work?
Yes
No
10. Do you take work laptops home?
Yes
No
Not Applicable
134
11. Do you use work computers/laptops for personal purposes?
Yes
No
Not Applicable
None Average Expert
12. How would you rate your level of information security knowledge/skill?
135
Please indicate to what degree you agree with the following statements on information security in
your organisation. An organisation in this study is the department/ministry/agency you currently
work for
Management and Leadership
Strongly disagree
Neither agree nor
disagree Strongly agree
13. Senior management considers information security as an important organisational priority
14. How long have you been working for your current organisation
Strongly disagree
Neither agree nor
disagree Strongly agree
15. Senior management are interested in information security issues
Strongly disagree
Neither agree nor
disagree Strongly agree
16. Senior management takes information security issues into account when planning corporate strategies
Strongly disagree
Neither agree nor
disagree Strongly agree
17. Senior management’s words and actions demonstrate that information security is a priority
Strongly disagree
Neither agree nor
disagree Strongly agree
18. Visible support for information security goals by senior management is obvious
Strongly disagree
Neither agree nor
disagree Strongly agree
19. Senior management gives strong and consistent support to the information security program
136
Please indicate to what degree you agree with the following statements on information security in
your organisation
Training and Awareness
Strongly disagree
Neither agree nor
disagree Strongly agree
20. Necessary efforts are made to educate employees about new security polices
Strongly
disagree
Neither agree nor
disagree Strongly agree
21. Information security awareness is communicated well
Strongly disagree
Neither agree nor
disagree Strongly agree
22. A variety of business communications (notices, posters, newsletters, etc.) are used to promote
information security awareness
Strongly disagree
Neither agree nor
disagree Strongly agree
23. An effective information security awareness program exists
Strongly disagree
Neither agree nor
disagree Strongly agree
24. A continuous, ongoing information security awareness program exists
Strongly disagree
Neither agree nor
disagree Strongly agree
25. Users receive adequate information security refresher training appropriate for their job function
137
Please indicate to what degree you agree with the following statements on information security in
your organisation
Policy
Strongly disagree
Neither agree nor
disagree Strongly agree
26. My organisation has established rules of behaviour for use of computer resources
Strongly disagree
Neither agree nor
disagree Strongly agree
27. My organisation has a formal policy that forbids employees from accessing computer systems that they
are not authorised to use
Strongly disagree
Neither agree nor
disagree Strongly agree
28. My organisation has specific guidelines that govern what employees are allowed to do with their
computers
138
Please indicate to what degree you agree with the following following statements about yourself
Trust
Strongly disagree
Neither agree nor
disagree Strongly agree
29. I generally trust other people
Strongly disagree
Neither agree nor
disagree Strongly agree
30. I generally have faith in humanity
Strongly disagree
Neither agree nor
disagree Strongly agree
31. I feel that most people have good intentions
Strongly disagree
Neither agree nor
disagree Strongly agree
32. I feel that people are generally trustworthy
Strongly disagree
Neither agree nor
disagree Strongly agree
33. I feel that people are generally reliable
139
Please indicate to what degree you agree with the following statements on information security
culture in your organisation
In my organisation..........
Information Security Culture
Strongly disagree
Neither agree nor
disagree Strongly agree
34. employees value the importance of information security
Strongly disagree
Neither agree nor
disagree Strongly agree
35. a culture exists that promotes good information security practices
Strongly disagree
Neither agree nor
disagree Strongly agree
36. information security has traditionally been considered an important organisational value
Strongly disagree
Neither agree nor
disagree Strongly agree
37. practicing good information security is the accepted way of doing business
Strongly disagree
Neither agree nor
disagree Strongly agree
38. the overall environment fosters information security-minded thinking
Strongly disagree
Neither agree nor
disagree Strongly agree
39. information security is a shared key norm
140
Please indicate to what degree you agree with the following statements on information security
behaviour in your organisation
Information Security Behaviour
Never Very frequently
40. How often do you change your passwords for work systems?
Never Very frequently
41. How often do you backup work related data on personal portable devices?
never Very frequently
42. How often have you installed non-licensed or unauthorised software on your work computers/laptop?
Never Always
43. If you see any suspicious information security behavior, would you report it to your supervisor?
Never Always
44. How often do you share work related information or data with unauthorized people you trust?
Never Always
45. Do you follow information security policies and processes in your work place?
1.
2.
3.
4.
5.
46. What methods do you use to dispose of sensitive information/data that is no longer needed?
141
47. How often have you shared work related information on social networking sites?
Often
Never
Other (please specify)
48. If you have shared work related information on social networking sites, which sites have you used to
do so?
142
Please indicate to what degree you agree with the following statements on organisational culture in
your organisation
At my work..........
Organisational Culture
Strongly disagree
Neither agree nor
disagree Strongly agree
49. when confronted with problems, people are rarely helped by people from other organisations
Strongly disagree
Neither agree nor
disagree Strongly agree
50. the tasks of employees that are absent are usually taken over by colleagues
Strongly disagree
Neither agree nor
disagree Strongly agree
Other (please specify)
51. requests from other organisations are usually carried out without delay
Strongly disagree
Neither agree nor
disagree Strongly agree
52. on special projects, there is quick cooperation between the various divisions/departments
Strongly agree
Neither agree nor
disagree Strongly disagree
53. the employees contribute their bit by directly following the prescribed methods of the managers
143
Please indicate to what degree you agree with the following statements on organisational culture in
your organisation
At my work..........
Organisational Culture
Strongly disagree
Neither agree nor
disagree Strongly agree
54. when people do not feel happy about their job, but still perform well, little or nothing is done for them
Strongly disagree
Neither agree nor
disagree Strongly agree
55. whenever an employee is ill, or when something has happened in their personal life managers ask after
their problem with interest
Strongly disagree
Neither agree nor
disagree Strongly disagree
56. employees are encouraged to take training courses and to go to seminars and conferences to help
their self-development
Strongly disagree
Neither agree nor
disagree Strongly agree
57. if there are personal conflicts between employee, the managers attempt to solve these problems
Strongly disagree
Neither agree nor
disagree Strongly agree
58. my manager shows little or no interest in birthdays, marriages and births
Strongly disagree
Neither agree nor
disagree Strongly agree
59. employees usually have a say in matters that directly involve them
144
Strongly disagree
Neither agree nor
disagree Strongly agree
60. managers compliment employees on work well done
Strongly disagree
Neither agree nor
disagree Strongly agree
61. senior management ensures that my job does not become too pressurised
145
Please indicate to what degree you agree with the following statements on organisational culture in
your organisation
At my work..........
Organisational Culture
Strongly disagree
Neither agree nor
disagree Strongly agree
62. if a manager has a criticism of an employee he or she discusses it openly with them
Strongly diagree
Neither agree nor
disagree Strongly agree
63. employees express any criticisms of management directly to them
Strongly disagree
Neither agree nor
disagree Strongly agree
64. employees are asked for constructive criticism of managers
Strongly disagree
Neither agree nor
disagree Strongly agree
65. the mistakes of a colleague are mainly discussed behind his or her back
146
Please indicate to what degree you agree with the following statements on organisational culture in
your organisation
At my work..........
Organisational Culture
Strongly disagree
Neither agree nor
disagree Strongly agree
66. managers always check if the employees are working
Strongly disagree
Neither agree nor
disagree Strongly agree
67. if an employee is a little late for an appointment with the manager, he or she will be reprimanded
Strongly disagree
Neither agree nor
disagree Strongly agree
68. if an employee goes to a medical check-up during working hours, there is a check on how long he or
she stays away
Strongly disagree
Neither agree nor
disagree Strongly agree
69. employees’ work related expenses have to be specified in detail
Strongly disagree
Neither agree nor
disagree Strongly agree
70. if an employee is 15 minutes late for work, but stays on for an extra 15 minutes at the end of the day
the management usually do not bother too much
Strongly disagree
Neither agree nor
disagree Strongly agree
71. the number and duration of the breaks employees take are rarely checked by the managers
147
Strongly disagree
Neither agree nor
disagree Strongly agree
72. if an employee has to go to an important appointment she/he has to convince the manager of the
importance of the appointment
151
References
ACS. (2016). Cybersecurity: Threats, challenges and opportunities. Retrieved from
https://www.acs.org.au/insightsandpublications/redirect-
20200626.html?report=cybersecurityTCO
ACSC. (2016). Australian cyber security center survey 2016. Retrieved from
https://www.acsc.gov.au/publications/ACSC_Cyber_Security_Survey_2016.
Acuña, D. C. (2017). Effects of a comprehensive computer security policy on human
computer security policy compliance. In Twelfth Midwest Association for Information Systems Conference. University of Illinois, Springfield.
Acuña, D. C. (2018). Manifest observations on a comprehensive computer security
policy. In Thirteenth Midwest Association for Information Systems Conference. St. Louis, Missouri.
Adbullahi, A. O., Igbinovia, M. O., & Solanke , O. E. (2015). Assessment of
information needs and seeking behaviour of undergraduates in University of
Ilorin. Information and Knowledge Management, 5(4), 1-16.
Ajzen, I. (1991). The theory of planned behavior. Organizational Behavior and Human Decision Processes, 50(2), 179-211.
Al Mehairi, H. A. (2013). Cultural influences on knowledge sharing behaviours
through open system vs. closed system cultures: The impact of organisational
culture on knowledge sharing. In Tenth International Conference on Intellectual Capital and Knowledge Management (pp. 475-481).
Al-Ahmad, W., & Mohammad, B. (2012). Can a single security framework address
information security risks adequately. International Journal of Digital Information and Wireless Communications, 2(3), 222-230.
Al-Khalaf, E., & Choe, P. (2020). Increasing customer trust towards mobile
commerce in a multicultural society: A case of Qatar. Journal of Internet Commerce, 19(1), 32-61. doi:10.1080/15332861.2019.1695179
Al-Omari, A., El-Gayar, O., & Deokar, A. (2012). Information security policy
compliance: The role of information security awareness. In Eighteenth AMCIS Conference Proceedings (Vol. 16).
Alfawaz, S., Nelson, K., & Mohannak, K. (2010). Information security culture: A
behaviour compliance conceptual framework. In Eighth Australasian Information Security Conference (pp. 47-55). Brisbane, Australia.
AlHogail, A. (2015a). Cultivating and assessing an organizational information
security culture: An empirical study. International Journal of Security and its Applications, 9(7), 163-178.
AlHogail, A. (2015b). Design and validation of information security culture
framework. Computers in Human Behavior, 49, 567-575.
doi:10.1016/j.chb.2015.03.054
Alhogail, A., & Mirza, A. (2014a). A framework of information security culture
change. Journal of Theoretical and Applied Information Technology, 64, 540-
549.
AlHogail, A., & Mirza, A. (2014b). Information security culture: A definition and a
literature review. In IEEE World Congress on Computer Applications and Information Systems. Hammamet, Tunisia.
AlHogail, A., & Mirza, A. (2015). Organizational information security culture
assessment. In 2015 International Conference on Information Security and
152
Management (pp. 286-292).
AlKalbani, A., Deng, H., & Kam, B. (2015). Organisational security culture and
information security compliance for e-Government development: The
moderating effect of social pressure. In Pacific Asia Conference on Information System. Singapore.
Alnatheer, M. (2012). Understanding and measuring information security culture in developing countries: Case of Saudi Arabia. (Doctoral dissertation).
Queensland University of Technology, Australia.
Alnatheer, M., Chan, T., & Nelson, K. (2012). Understanding and measuring
information security culture. In Sixteenth Pacific Asia Conference on Information Systems. University of Science, Vietnam.
Alnatheer, M., & Nelson, K. (2009). Proposed framework for understanding
information security culture and practices in the Saudi context. In Seventh Australian Information Security Management Conference. Perth, Western
Australia.
Amankwa, E., Loock, M., & Kritzinger, E. (2018). Establishing information security
policy compliance culture in organizations. Information & Computer Security, 26, 420-436.
Anderson, J. C., & Narus, J. A. (1990). A model of distributor firm and manufacturer
firm working partnerships. Journal of Marketing, 54(1), 42-58.
Anderson, J. M. (2003). Why we need a new definition of information security.
Computers & Security, 22(4), 308-313. doi:10.1016/s0167-4048(03)00407-3
Andress, M., & Fonseca, B. (2000). Manage people to protect data. InfoWorld, 22(46), 48.
Anita, G., Kavita, K., & Kirandeep, K. (2013). Vulnerability assessment and
penetration testing. International Journal of Engineering Trends and Technology, 4(13).
Appari, A., & Johnson, M. E. (2010). Information security and privacy in healthcare:
Current state of research. International Journal of Internet and Enterprise Management, 6(4), 279-314.
Astakhova, L. (2020). Issues of the culture of information security under the
conditions of the digital economy. Scientific and Technical Information Processing, 47, 56-64.
Astakhova, L. V. (2015). Information security: Risks related to the cultural capital of
personnel (Review). Scientific and Technical Information Processing, 42(2),
41-52. doi:10.3103/S0147688215020021
Barlette, Y., & Fomin, V. V. (2010). The adoption of information security
management standards: A literature review. IGI Global, 119-140.
Bavik, A., & Duncan, T. (2014). Organization culture and scale development:
Methodological challenges and future directions. Nang Yan Business Journal, 3(1), 55-66.
Beshay, M., & Sixsmith, A. (2008). Dimensions of culture: A project perspective.
Communications of the IBIMA, 5, 82-88.
Bös, B., Dauber, D., & Springnagel, M. (2011). Measuring organizational culture:
An empirical assessment of the Hofstede questionnaire in an Austrian setting.
In Tenth Annual Conference and 3Third CEMS CCM/IACCM Doctoral Workshop. (pp. 107-119). University of Ruse, Bulgaria.
Box, D., & Pottas, D. (2013). Improving information security behaviour in the
healthcare context. Procedia Technology, 9(2013), 1093-1103.
doi:10.1016/j.protcy.2013.12.122
153
Bozic, G. (2012). The role of a stress model in the development of information
security culture. In 35th International Convention MIPRO (pp. 1555-1559).
Opatija, Croatia.
Bryman, A., & Burgess, R. G. (1999). Qualitative research (Vol. 4). Calif, London:
Thousand Oaks.
Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2010). Information security policy
compliance: An empirical study of rationality-based beliefs and information
security awareness. MIS Quarterly, 34(3), 523-548.
Bulińska-Stangrecka, H., & Bagieńska, A. (2018). Investigating the links of
interpersonal trust in telecommunications companies. Sustainability, 10(7),
2555-2571.
Cadden, T., Marshall, D., & Cao, G. (2013). Opposites attract: Organisational culture
and supply chain performance. Supply Chain Management: An International Journal, 18(1), 86-103. doi:10.1108/13598541311293203
CBS. (2016). A compass towards a just and harmonious society: 2015 GNH survey report. Thimphu, Bhutan: Centre for Bhutan Studies & GNH Research.
Retrieved from https://www.bhutanstudies.org.bt/publicationFiles/2015-
Survey-Results.pdf
Chang, S. E., & Lin, C. S. (2007). Exploring organizational culture for information
security management. Industrial Management & Data Systems, 107(3), 438-
458. doi:10.1108/02635570710734316
Chen, Y., Ramamurthy, K., & Wen, K. W. (2015). Impacts of comprehensive
information security programs on information security culture. Journal of Computer Information Systems, 55(3), 11-19.
doi:10.1080/08874417.2015.11645767
Chen, Y. H., Lin, T. P., & Yen, D. C. (2014). How to facilitate inter-organizational
knowledge sharing: The impact of trust. Information & Management, 51(5),
568-578.
Chia, P., Maynard, S., & Ruighaver, A. (2002). Understanding organizational
security culture. In Sixth Pacific Asia Conference on Information Systems (pp. 731-740). Tokyo, Japan.
Choejey, P., Murray, D., & Fung, C. C. (2016). Exploring critical success factors for
cybersecurity in Bhutan's government organizations. In Eighth International Conference on Networks & Communications. Sydney, Australia.
Choejey, P., Murray, D., & Fung, C. C. (2017). Perception of cybersecurity in
government organization: A case study of Bhutan. International Scholarly and Scientific Research & Innovation, 11(1), 152-155.
Choi, M., Robles, R. J., Hong, C., & Kim, T. (2008). Wireless network security:
Vulnerabilities, threats and countermeasures. International Journal of Multimedia and Ubiquitous Engineering, 3(3), 78-86.
Cisco. (2019). What is Information Security? Retrieved from
https://www.cisco.com/c/en/us/products/security/what-is-information-
security-infosec.html
CNSS. (2015). Committee on national security system glossary - CNISSI No. 4009.
Retrieved from https://rmf.org/wp-content/uploads/2017/10/CNSSI-4009.pdf
Cohen, J. (1988). Statistical power analysis for the behavioral sciences (2nd ed.).
Hillsdale, New Jersey: Lawrence Erlbaum
Connolly, Y., Lang, M., Gathegi, J., & Tygar, D. (2016). The effect of oganisational
culture on employee security behaviour: A qualitative study. In Tenth International Symposium on Human Aspects of Information Security &
154
Assurance (pp. 33-44).
Cuganesan, S., Steele, C., & Hart, A. (2018). How senior management and
workplace norms influence information security attitudes and self-efficacy.
Behaviour & Information Technology, 37(1), 50-65.
D'Arcy, J., & Greene, G. (2014). Security culture and the employment relationship as
drivers of employees’ security compliance. Information Management & Computer Security, 22(5), 474-489. doi:10.1108/imcs-08-2013-0057
D'Arcy, J., Hovav, A., & Galletta, D. (2009). User awareness of security
countermeasures and its impact on information systems misuse: A deterrence
approach. Information Systems Research, 20(1), 79-98.
doi:10.1287/isre.1070.0160
D’Arcy, J., & Greene, G. (2009). The multifaceted nature of security culture and its
influence on end user behavior. In IFIP TC8 International Workshop on Information Systems Security Research (pp. 145-157). Cape Town, South
Africa.
da Veiga, A. (2015a). The influence of information security policies on information
security culture: Illustrated through a case study. In Ninth International Symposium on Human Aspects of Information Security & Assurance (pp. 22-
33). Mytilene, Greece.
da Veiga, A. (2015b). An information security training and awareness approach
(ISTAAP) to instil an information security-positive culture. In Ninth International Symposium on Human Aspects of Information Security & Assuance (pp. 95-107). Mytilene, Greece.
da Veiga, A. (2016). Comparing the information security culture of employees who
had read the information security policy and those who had not: Illustrated
through an empirical study. Information & Computer Security, 24(2), 139-
151.
da Veiga, A., Astakhova, L. V., Botha, A., & Herselman, M. (2020). Defining
organisational information security culture - Perspectives from academia and
industry. Computers & Security, 92(101713), 1-23.
doi:https://doi.org/10.1016/j.cose.2020.101713
da Veiga, A., & Eloff, J. (2007). An information security governance framework.
Information Systems Management, 24(4), 361-372.
doi:10.1080/10580530701586136
da Veiga, A., & Eloff, J. (2010). A framework and assessment instrument for
information security culture. Computers & Security, 29(2), 196-207.
doi:10.1016/j.cose.2009.09.002
Da Veiga, A., & Martins, N. (2015). Improving the information security culture
through monitoring and implementation actions illustrated through a case
study. Computers & Security, 49, 162-176.
da Veiga, A., & Martins, N. (2017). Defining and identifying dominant information
security cultures and subcultures. Computers & Security, 70, 72-94.
da Veiga, A., Martins, N., & Eloff, J. (2007). Information security culture-validation
of an assessment instrument. Southern African Business Review, 11(1), 147-
166.
Dang-Pham, D., Pittayachawan, S., & Bruno, V. (2017). Applying network analysis
to investigate interpersonal influence of information security behaviours in
the workplace. Information & Management, 54(5), 625-637.
Deutsch, M. (1958). Trust and suspicion. The Journal of Conflict Resolution, 2(4),
265-279.
155
Dhillon, G. (1997). Managing information system security. London: Macmillan Press
Ltd.
Dhillon, G. (2007). Principles of information systems security-Texts and cases.
Hoboken, NJ: John Wiley & Sons.
DITT. (2017). Annual report 2017. Thimphu, Bhutan: Department of Information
Technology & Telecom. Retrieved from
https://www.dit.gov.bt/sites/default/files/DITT.pdf
DITT. (2019). DITT annual report 2018 - 2019. Thimphu, Bhutan: Department of
Information Technology & Telecom. Retrieved from
https://www.dit.gov.bt/sites/default/files/DITT%20Annual%20Report%2020
11-19.pdf
DITT. (2020). National fiber network reliability report (January - March, 2020). Thimphu, Bhutan: Department of Information Technology & Telecom.
Retrieved from https://www.dit.gov.bt/national-fiber-network-reliability-
report-january-march-2020-0
Dojkovski, S., Lichtenstein, S., & Warren, M. J. (2007). Fostering information
security culture in small and medium size enterprises: An interpretive study
in Australia. In 15th ECIS 2007 Proceedings (pp. 1560-1571). Switzerland.
Dojkovski, S., Lichtenstein, S., & Warren, M. J. (2010). Enabling information
security culture: Influences and challenges for Australian SMEs. In 21st Australasian Conference on Information Systems. Brisbane, Queensland.
Dorji, L., Jamtsho, C., Gyeltshen, S., & Dorji, C. (2013). Bhutan’s case: Social
capital, household welfare and happiness. In Monograph Series. Thimphu,
Bhutan: NSB.
EY. (2019). Is cybersecurity about more than protection? EY global information security survey 2018-2019. Retrieved from
https://www.ey.com/en_au/consulting/global-information-security-survey-
2018-2019
Farooq, A., Ndiege, J. R. A., & Isoaho, J. (2019). Factors affecting security behavior
of Kenyan students: An integration of Protection Motivation Theory and
Theory of Planned Behavior. In 2019 IEEE AFRICON. Accra, Ghana.
Flores, W. R., Antonsen, E., & Ekstedt, M. (2014). Information security knowledge
sharing in organizations: Investigating the effect of behavioral information
security governance and national culture. Computers & security, 43, 90-110.
Fung, C. C., Wong, K. W., Murray, D., Xie, H., & Choejey, P. (2015). Cybersecurity
practices for e-Government: An assessment in Bhutan. In Tenth International Conference on e-Business. Bangkok, Thailand.
Furnell, S., & Rajendran, A. (2012). Understanding the influences on information
security behaviour. Computer Fraud & Security, 2012(3), 12-15.
doi:https://doi.org/10.1016/S1361-3723(12)70053-2
Furnell, S., & Thomson, K. (2009). From culture to disobedience: Recognising the
varying user acceptance of IT security. Computer Fraud & Security, 2009(2),
5-10.
Geric, S., & Hutinski, Z. (2007). Information systems security threats classifications.
Journal of Information and Organizational Sciences, 31(1), 51-61.
Gillies, A. (2011). Improving the quality of information security management
systems with ISO27000. The TQM Journal, 23, 367-376.
Glaspie, H. (2018). Assessment of information security culture in higher education. (Doctoral thesis). University of Central Florida, Florida, USA.
Glaspie, H., & Karwowski, W. (2018). Human factors in information secuity culture:
156
A literature review. In International Conference on Applied Human Factors and Ergonomics (pp. 269-280). Cham: Springer
GNHC. (2019). 12th five year plan 2018-2023. Gross National Happiness
Commission, Thimphu, Bhutan. Retrieved from
http://www.nsb.gov.bt/main/apa/12th_FYP.pdf
Goel, J. N., & Mehtre, B. M. (2015). Vulnerability assessment & penetration testing
as a cyber defence technology. Procedia Computer Science, 57, 710-715.
doi:https://doi.org/10.1016/j.procs.2015.07.458
Govender, S., Kritzinger, E., & Loock, M. (2016). The influence of national culture
on information security culture. In IST Africa Week Conference. Durban,
South Africa.
Greene, G., & D’Arcy, J. (2010). Assessing the impact of security culture and the
employee-organization relationship on IS security compliance. In 5th Annual Symposium on Information Assurance (pp. 1-8).
Hair, J., Sarstedt, M., Ringle, C., & Hult, G. T. (2017). A primer on partial least squares structural equation modeling (PLS-SEM) (Second ed.). Los Angeles:
Saga Publication.
Hair, J. F., Black, W. C., Babin, B. J., & Anderson, R. E. (2010). Multivariate Data Analysis: A Global Perspective (7th ed.). Upper Saddle River, NJ.
Hallikainen, H., & Laukkanen, T. (2018). National culture and consumer trust in e-
commerce. International Journal of Information Management, 38(1), 97-106.
doi:10.1016/j.ijinfomgt.2017.07.002
Hassan, N. H., & Ismail, Z. (2012). A Conceptual Model for Investigating Factors
Influencing Information Security Culture in Healthcare Environment.
Procedia - Social and Behavioral Sciences, 65, 1007-1012.
doi:10.1016/j.sbspro.2012.11.234
Hassan, N. H., Ismail, Z., & Maarop, N. (2015). Information security culture: A
systematic literature review. In Fifth International Conference on Computing and Informatics (pp. 456-463). Istanbul, Turkey.
Hassan, N. H., Maarop, N., Ismail, Z., & Abidin, W. Z. (2017). Information security
culture in health informatics environment-A qualitative approach. In
International Conference on Research and Innovation in Information Systems (ICRIIS). Langkawi, Malaysia.
Henseler, J., Ringle, C. M., & Sarstedt, M. (2015). A new criterion for assessing
discriminant validity in variance-based structural equation modeling. Journal of the Academy of Marketing Science, 43(1), 115-135. doi:10.1007/s11747-
014-0403-8
Herath, T., & Rao, H. R. (2009). Encouraging information security behaviors in
organizations: Role of penalties, pressures and perceived effectiveness.
Decision Support Systems, 47(2), 154-165. doi:10.1016/j.dss.2009.02.005
Hofstede, G. (1991). Cultures and organizations: Software of the mind. London &
New York: McGraw-Hill.
Hofstede, G. (1998). Identifying organisational subcultures: An empirical approach.
Journal of Management Studies, 35(1), 1-12. doi:10.1111/1467-6486.00081
Hofstede, G., Neuijen, B., Ohayv, D. D., & Sanders, G. (1990). Measuring
organizational cultures-A qualitative and quantitative study across twenty
cases. Administrative Science Quarterly, 35(2), 286-316.
Höne, K., & Eloff, J. H. P. (2002). Information security policy-what do international
information security standards say? Computers & Security, 21(5), 402-409.
Hsu, M. H., & Chang, C. M. (2014). Examining interpersonal trust as a facilitator
157
and uncertainty as an inhibitor of intraorganisational knowledge sharing.
Information Systems Journal, 24(2), 119-142.
Hu, Q., Hart, P., & Cooke, D. (2006). The role of external influences on
organizational information security practices: An institutional perspective. In
39th Annual Hawaii International Conference on System Sciences. Kauia, Hi,
USA.
Hummels, H., & Roosendaal, H. E. (2001). Trust in scientific publishing. Journal of Business Ethics, 34(2), 87-100.
IDA. (2015). Revised Bhutan’s ICT roadmap 2015. Thimphu, Bhutan. Retrieved
from
https://www.dit.gov.bt/sites/default/files/bhutan_ict_roadmap_2015_pdf_854
07.pdf
ISO/IEC. (2013). ISO/IEC 27002/2013 Information technology - security techniques
- code of practice for information security controls. Retrieved from
http://www.iso27001security.com/html/27002.html
ISO/IEC. (2018). ISO/IEC 27005:2018 Information technology-security techniques -
information security risk management. Retrieved from
https://www.iso.org/standard/75281.html
ISO/IEC. (2020). ISO survey 2019. Retrieved from
https://isotc.iso.org/livelink/livelink/fetch/-
8853493/8853511/8853520/18808772/0._Explanatory_note_and_overview_o
n_ISO_Survey_2019_results.pdf?nodeid=21413237&vernum=-2
Johnston, A. C., & Hale, R. (2009). Improved security through information security
governance. Communications of the ACM, 52(1), 126-129.
Jouini, M., Rabai, L. B. A., & Aissa, A. B. (2014). Classification of security threats
in information systems. Procedia Computer Science, 32, 489-496.
doi:https://doi.org/10.1016/j.procs.2014.05.452
Kayworth, T., & Whitten, D. (2010). Effective information security requires a
balance of social and technology factors. MIS Quarterly Executive, 9(3),
2012-2052.
Kinga, S. (2001). The attributes and values of folk and popular songs. Journal of Bhutan Studies, 3(1), 130-170.
Kirlappos, I., Parkin, S., & Sasse, M. A. (2014). Learning from “Shadow Security”:
Why understanding non-compliance provides the basis for effective security.
In Workshop on Usable Security. Menlo Park, California.
Knapp, K., Marshall, T., Rainer, R., & Morrow, D. (2004). Top ranked information
security issues. In The 2004 International Information Systems Security Certification Consortium (ISC) 2 Survey Results. Alabama: Auburn
University.
Knapp, K. J. (2005). A model of managerial effectiveness in information security: From grounded theory to emperical test. (Doctoral thesis). Auburn
University, Alabama.
Knapp, K. J., Marshall, T. E., Rainer, R. K., & Ford, F. N. (2006). Information
security: Management’s effect on culture and policy. Information Management & Computer Security, 14(1), 24-36.
Knapp, K. J., Morris Jr, R. F., Marshall, T. E., & Byrd, T. A. (2009). Information
security policy: An organizational-level process model. Computers & security, 28(7), 493-508.
Kokolakis, S., Karyda, M., & Kiountouzis, E. (2005). The insider threat to
information systems and the effectiveness of ISO17799. Computers &
158
Security, 24(6), 472-484. doi:10.1016/j.cose.2005.05.002
Koohang, A., Nowak, A., Paliszkiewicz, J., & Nord, J. H. (2020). Information
security policy compliance : Leadership, trust, role values, and awareness.
Journal of Computer Information Systems, 60(1), 1-8.
doi:10.1080/08874417.2019.1668738
Koskosas, I., Kakoulidis, K., & Siomos, C. (2011). Examining the linkage between
information security and end-user trust. International Journal of Computer Science & Information Security, 9(2), 21-29.
Kraemer, S., Carayon, P., & Clem, J. (2009). Human and organizational factors in
computer and information security: Pathways to vulnerabilities. Computers & Security, 28(7), 509-520. doi:10.1016/j.cose.2009.04.006
Kumar, S. (2016). Information security threats, vulnerabilities and assessment.
International Journal of Advanced Research in Computer Engineering & Technology 5(5), 1358-1360.
Lankton, N. K., McKnight, D. H., & Tripp, J. (2015). Technology, humanness, and
trust: Rethinking trust in technology. Journal of the Association for Information Systems, 16(10), 880-918.
Lewis, J. D., & Weigert, A. (1985). Trust as a social reality. Social Forces, 63(4),
967-985.
Liang, H., Laosethakul, K., Lloyd, S. J., & Xue, Y. (2005). Information systems and
health care-I: trust, uncertainty, and online prescription filling.
Communications of the Association for Information Systems, 15(1), 41-60.
Lim, J. S., Ahmad, A., Chang, S., & Maynard, S. B. (2010). Embedding information
security culture emerging concerns and challenges. In PACIS 2010 Proceedings (pp. 463-474). Taipei, Taiwan.
Lim, J. S., Chang, S., Maynard, S., & Ahmad, A. (2009). Exploring the relationship
between organizational culture and information security culture. In 7th Australian Information Security Management Conference (pp. 88-97). Perth,
Western Australia.
Lopes, I., & Oliveira, P. (2014). Understanding information security culture: A
survey in small and medium sized enterprises. In Á. Rocha, A. M. Correia, F.
B. Tan, & K. A. Stroetmann (Eds.), New Perspectives in Information Systems and Technologies (Vol. 1, pp. 277-286): Springer International Publishing.
Mahfuth, A., Yussof, S., Baker, A. A., & Ali, N. (2017). A systematic literature
review: Information security culture. In Fifth International Conference on Research and Innovation in Information Systems (ICRIIS). Langkawi,
Malaysia.
Malcolmson, J. (2009). What is security culture? Does it differ in content from
general organisational culture? In 43rd Annual 2009 International Carnahan Conference on Security Technology (pp. 361-366). Zurich, Switzerland.
Martins, A., & Eloff, J. (2002). Information security culture. In IFIP TC11, 17th International Conference on Information Security (pp. 203-214). Boston:
Kluwer Academic.
Martins, N., & da Veiga, A. (2015). An information security culture model validated
with structural equation modelling. In Ninth International Symposium on Human Aspects of Information Security & Assurance (HAISA 2015) (pp. 11-
21). Mytilene, Greece.
Masrek, M., Harun, Q., Ramli, I., & Prasetyo, H. (2019). The role of top
management in information security practices. In Sixth International Conference on Education, Social Sciences and Humanities (pp. 983-990).
159
Istanbul, Turkey.
Masrek, M., Zaidi, N., & Harun, Q. (2018). Assessing the information security
culture in a government context: The case of a developing country.
International Journal of Civil Engineering and Technology, 9(8), 96-112.
Mayer, R. C., Davis, J. H., & Schoorman, F. D. (1995). An integrative model of
organizational trust. Academy of management review, 20(3), 709-734.
McCormac, A., Parsons, K., & Butavicius, M. (2012). Preventing and profiling malicious insider threats. Retrieved from
https://www.dst.defence.gov.au/sites/default/files/publications/documents/DS
TO-TR-2697%20PR.pdf
Mcknight, D. H., Carter, M., Thatcher, J. B., & Clay, P. F. (2011). Trust in a specific
technology: An investigation of its components and measures. ACM Transactions on Management Information Systems (TMIS), 2(2), 1-25.
Meeßen, S. M., Thielsch, M. T., & Hertel, G. (2020). Trust in management
information systems (MIS): A theoretical model. Zeitschrift für Arbeits-und Organisationspsychologie, 64(1), 6-16.
Mehrad, A., & Tahriri, M. (2019). Comparison between qualitative and quantitative
research approaches: Social sciences. International Journal For Research In Educational Studies, 5(7), 1-7.
MoIC. (2019). Annual info-comm and transport statistical bulletin. Thimphu,
Bhutan. Retrieved from https://www.moic.gov.bt/wp-
content/uploads/2019/03/10th-Annual-Info-Comm-and-Transport-Statistical-
Bulletin-2019.pdf
Nagamalai, D., Dhinakaran, B. C., Sasikala, P., Lee, S. H., & Lee, J. K. (2005).
Security threats and countermeasures in WLAN. In K. Cho & P. Jacquet
(Eds.), Technologies for Advanced Heterogeneous Networks (pp. 168-182).
Berlin, Heidelberg: Springer
Narayana Samy, G., Ahmad, R., & Ismail, Z. (2010). Security threats categories in
healthcare information systems. Health Informatics Journal, 16(3), 201-209.
Nasir, A., Arshah, R. A., & Ab Hamid, M. R. (2019). A dimension-based
information security culture model and its relationship with employees’
security behavior: A case study in Malaysian higher educational institutions.
Information Security Journal: A Global Perspective, 28(3), 55-80.
doi:10.1080/19393555.2019.1643956
Nasir, A., Arshah, R. A., & Ab Hamid, M. R. (2020). Information security culture
for guiding employee’s security behaviour: A pilot study. In Sixth International Conference on Information Management (pp. 205-209).
London, United Kingdom.
Nasir, A., Arshah, R. A., Ab Hamid, M. R., & Fahmy, S. (2019). An analysis on the
dimensions of information security culture concept: A review. Journal of Information Security and Applications, 44, 12-22.
doi:https://doi.org/10.1016/j.jisa.2018.11.003
Northouse, P. G. (2010). Leadership: Theory and practice (5th ed.). Thousand Oaks,
CA: Saga publications.
NSB. (2017). Population and housing census of Bhutan 2017. Thimphu, Bhutan.
Retrieved from
http://www.nsb.gov.bt/publication/files/PHCB2017_national.pdf
NSB. (2019). Labour force survey report 2019. Thimphu, Bhutan. Retrieved from
http://www.nsb.gov.bt/publication/files/pub2yh3694oi.pdf
NSB. (2020). Bhutan at a glance 2020. Thimphu, Bhutan. Retrieved from
160
http://www.nsb.gov.bt/publication/files/pub8xz2017hc.pdf
OAIC. (2021). Notifiable data breaches report. Retrieved from
https://www.oaic.gov.au/assets/privacy/notifiable-data-breaches-
scheme/statistics/2020-2/Notifiable-Data-Breaches-Report-July-Dec-
2020.pdf
Padayachee, K. (2012). Taxonomy of compliant information security behavior.
Computers & Security, 31(5), 673-680.
doi:https://doi.org/10.1016/j.cose.2012.04.004
Paliszkiewicz, J. (2019). Information security policy compliance: Leadership and
trust. Journal of Computer Information Systems, 59(3), 211-217.
doi:10.1080/08874417.2019.1571459
Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014).
Determining employee awareness using the human aspects of information
security questionnaire (HAIS-Q). Computers & Security, 42, 165-176.
doi:10.1016/j.cose.2013.12.003
Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., & Jerram, C. (2013).
Phishing for the truth: A scenario-based experiment of users’ behavioural
response to emails. In IFIP International Information Security Conference
(pp. 366-378). Berlin, Heidelberg.
Parsons, K., Young, E., Butavicius, M., McCormac, A., Pattinson, M., & Jerram, C.
(2015). The influence of organizational information security culture on
Information security decision making. Journal of Cognitive Engineering and Decision Making, 9(2), 117-129. doi:10.1177/1555343415575152
Pattinson, M., & Anderson, G. (2007). How well are information risks being
communicated to your computer end-users? Information Management & Computer Security, 15(5), 362-371.
Pattinson, M., Butavicius, M., Parsons, K., McCormac, A., & Calic, D. (2015).
Factors that influence information security behavior: An Australian web-
based study. In International Conference on Human Aspects of Information Security, Privacy, and Trust (pp. 231-241). Cham: Springer.
Pierce, R. E. (2012). Key factors in the success of an organization's information security culture: A quantitative study and analysis. (Doctoral thesis). Capella
University, USA.
Ponemon. (2019). Data breach report 2019. Retrieved from
https://www.ibm.com/downloads/cas/ZBZLY7KL?_ga=2.266424142.112580
914.1592375957-1681072557.1592375957
Ponemon. (2020). Cost of insider threat global report 2020. Retrieved from
https://www.observeit.com/wp-content/uploads/2020/04/2020-Global-Cost-
of-Insider-Threats-Ponemon-Report_UTD.pdf
Puhakainen, P., & Siponen, M. (2010). Improving employees' compliance through
information systems security training: An action research study. MIS Quarterly, 34(4), 757-778. doi:10.2307/25750704
Rabai, L. B. A., Aissa, A. B., & Mili, A. (2012). An economic model of security
threats for cloud computing systems. In International Conference on Cyber Security: Cyber Warfare and Digital Forensic (CyberSec) (pp. 100-105).
Kuala Lumpur, Malaysia.
Rabai, L. B. A., Jouini, M., Aissa, A. B., & Mili, A. (2013). A cybersecurity model
in cloud computing environments. Journal of King Saud University - Computer and Information Sciences, 25(1), 63-75.
doi:10.1016/j.jksuci.2012.06.002
161
Rai, D., & Kurnia, S. (2017). Factors affecting the growth of the ICT industry: The
case of Bhutan. In International Conference on Social Implications of Computers in Developing Countries (pp. 728-739). Cham: Springer.
Rajaonah, B. (2017). A view of trust and information system security under the
perspective of critical infrastructure protection. Revue des Sciences et Technologies de l’Information - Série ISI : Ingénierie des Systèmes d’Information, 22(1), 109-133.
RCSC. (2019a). Annual report (July 2018-March 2019) state of the royal civil service. Thimphu, Bhutan. Retrieved from https://www.rcsc.gov.bt/wp-
content/uploads/2019/04/Annual-Report-2018-19.pdf
RCSC. (2019b). Civil service statistics December 2019. Thimphu, Bhutan. Retrieved
from https://www.rcsc.gov.bt/wp-content/uploads/2020/04/Civil-Service-
Statistics-2019.pdf
Renzl, B. (2008). Trust in management and knowledge sharing: The mediating
effects of fear and knowledge documentation. Omega, 36(2), 206-220.
RGoB. (2018). Information, Communications and Media Act of Bhutan 2018.
Thimphu, Bhutan. Retrieved from
https://www.nab.gov.bt/assets/uploads/docs/acts/2018/ICMActofBhutan2018.
Ridings, C. M., Gefen, D., & Arinze, B. (2002). Some antecedents and effects of
trust in virtual communities. The Journal of Strategic Information Systems, 11(3-4), 271-295.
Ringle, C. M., Wende, S., & Becker, J.-M. (2015). SmartPLS 3. Bönningstedt: SmartPLS. Retrieved from http://www.smartpls.com
Roberts, T. (2015). Building cyber-security capacity in the Kingdom of Bhutan. In.
Global Cyber Security Capacity Centre, University of Oxford.
Rocha Flores, W., & Ekstedt, M. (2016). Shaping intention to resist social
engineering through transformational leadership, information security culture
and awareness. Computers & Security, 59, 26-44.
doi:10.1016/j.cose.2016.01.004
Rocha Flores, W., Holm, H., Nohlberg, M., & Ekstedt, M. (2015). Investigating
personal determinants of phishing and the effect of national culture.
Information and Computer Security, 23(2), 178-199. doi:10.1108/ics-05-
2014-0029
Rogers, R. W. (1983). Cognitive and psychological processes in fear appeals and
attitude change: A revised theory of protection motivation. In J. T. Cacioppo
& R. E. Petty (Eds.), Social psychophysiology: A Source book (pp. 153-176).
New York: Guildford Press.
Rotter, J. B. (1967). A new scale for the measurement of interpersonal trust. Journal of Personality, 35(4), 651-665.
Ruighaver, A., Maynard, S., & Chang, S. (2007). Organisational security culture:
Extending the end-user perspective. Computers & Security, 26(1), 56-62.
doi:https://doi.org/10.1016/j.cose.2006.10.008
Safa, N., Sookhak, M., von Solms, R., Furnell, S., Ghani, N. A., & Herawan, T.
(2015). Information security conscious care behaviour formation in
organizations. Computers & Security, 53, 65-78.
doi:10.1016/j.cose.2015.05.012
Safa, N., & von Solms, R. (2016). An information security knowledge sharing model
in organizations. Computers in Human Behavior, 57, 442-451.
doi:10.1016/j.chb.2015.12.037
162
Safa, N., von Solms, R., & Furnell, S. (2016). Information security policy
compliance model in organizations. Computers & Security, 56, 70-82.
doi:10.1016/j.cose.2015.10.006
Safianu, O., Twun, F., & Hayfron-Acquah, J. B. (2016). Information system security
threats and vulnerabilities: Evaluating the human factor in data protection.
International Journal of Computer Applications, 143, 8-14.
Saint-Charles, J., & Mongeau, P. (2009). Different relationships for coping with
ambiguity and uncertainty in organizations. Social Networks, 31(1), 33-39.
Saleh, M. F. (2011). Information security maturity model. International Journal of Computer Science and Security, 5(3), 316-337.
Samonas, S., & Coss, D. (2014). The CIA strikes back: Redefining
confidentiality,integrity and availability in security Journal of Information System Security, 10(3), 21-45.
Schein, E. H. (1992). Organizational culture and leadership (2nd ed.). San
Francisco: Jossey-Bass.
Schein, E. H. (2010). Organizational culture and leadership (4th ed.). San Francisco:
Jossey-Bass.
Schlienger, T., & Teufel, S. (2002). Information security culture-The socio-cultural
dimension in information security management. In M. A. Ghonaimy, M. T.
El-Hadidi, & H. K. Aslan (Eds.), Security in the Information Society. IFIP Advances in Information and Communication Technology (Vol. 86). Boston,
MA: Springer.
Schultz, E. (2005). The human factor in security. Computers & Security, 24(6), 425-
426. doi:10.1016/j.cose.2005.07.002
Seldon, P. (2018, 12/1/2018). Securing Bhutan’s cyber security. The Bhutanese.
Retrieved from https://thebhutanese.bt/securing-bhutans-cyber-security/
Shaaban, H., & Conrad, M. (2013). Democracy, culture and information security: a
case study in Zanzibar. Information Management & Computer Security, 21(3), 191-201. doi:10.1108/imcs-09-2012-0057
Shapiro, J., Bessette, M., Baumlin, K., Ragin, D., & Richardson, L. (2004).
Automating research data. Academic Emergency Medicine, 11(11), 1223-
1228. doi:10.1197/j.aem.2004.08.017
Sherif, E., Furnell, S., & Clarke, N. (2015a). Awareness, behaviour and culture: The
ABC in cultivating security compliance. In Tenth International Conference for Internet Technology and Secured Transactions (ICITST) (pp. 90-94).
London, United Kingdom.
Sherif, E., Furnell, S., & Clarke, N. (2015b). An identification of variables
influencing the establishment of information security culture. In The Human-Computer Interaction (HCI) Conference–Human Aspects of Information Security, Privacy and Trust (HAS) (pp. 436–448). Switzerland.
Siponen, M., Adam Mahmood, M., & Pahnila, S. (2014). Employees’ adherence to
information security policies: An exploratory field study. Information & Management, 51(2), 217-224. doi:10.1016/j.im.2013.08.006
Soomro, Z. A., Shah, M. H., & Ahmed, J. (2016). Information security management
needs more holistic approach: A literature review. International Journal of Information Management, 36(2), 215-225.
doi:10.1016/j.ijinfomgt.2015.11.009
Spitzner, L. (2018). This is why the human is the weakest link? Retrieved from
https://www.sans.org/security-awareness-training/blog/why-human-weakest-
link
163
Tamjidyamcholo, A., Baba, M. S. B., Tamjid, H., & Gholipour, R. (2013).
Information security–Professional perceptions of knowledge-sharing
intention under self-efficacy, trust, reciprocity, and shared-language.
Computers & Education, 68, 223-232.
Tang, M., Li, M. g., & Zhang, T. (2016). The impacts of organizational culture on
information security culture: A case study. Information Technology and Management, 17(2), 179-186. doi:10.1007/s10799-015-0252-2
Tolah, A., Papadaki, M., & Furnell, S. (2017). A comprehensive framework for
cultivating and assessing information security culture. In International Symposium on Human Aspects of Information Security and Assurance (pp.
52-64). Adelaide, Australia.
UN. (2019). World economic situation and prospects. Retrieved from
https://www.un.org/development/desa/dpad/wp-
content/uploads/sites/45/WESP2019_BOOK-ANNEX-en.pdf
UNCTAD. (2020). The least developed countries report 2020. Retrieved from
https://unctad.org/webflyer/least-developed-countries-report-2020
UNDP. (2019). Human development report 2019. Retrieved from
http://www.hdr.undp.org/sites/default/files/hdr2019.pdf
Vaidya, R. (2018). Cyber security breaches survey 2018. Retrieved from
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/
attachment_data/file/702074/Cyber_Security_Breaches_Survey_2018_-
_Main_Report.pdf
van Niekerk, J., & von Solms, R. (2005). A holistic framework for the fostering of an
information security sub-culture in organizations. In Information Security South Africa Conference. Johannesburg, South Africa.
van Niekerk, J., & von Solms, R. (2010). Information security culture: A
management perspective. Computers & Security, 29(4), 476-486.
doi:10.1016/j.cose.2009.10.005
Vance, A., Elie-Dit-Cosaque, C., & Straub, D. W. (2008). Examining trust in
information technology artifacts: The effects of system quality and culture.
Journal of Management Information Systems, 24(4), 73-100.
doi:10.2753/MIS0742-1222240403
Verbeke, W. (2000). A revision of Hofstede et al.'s (1990) organizational practices
scale. Journal of Organizational Behavior, 21(5), 587-602.
von Solms, B. (2000). Information security - The third wave? Computers & Security, 19, 615-620. doi:10.1016/S0167-4048(00)07021-8
Weick, K. E. (1995). Sensemaking in organizations (Vol. 3). Thousands Oaks, CA:
Sage Publications
West, D. M. (2001). State and federal e-government in the United States. Retrieved
from http://www.insidepolitics.org/egovt01us.PDF
Whitman, M. E., & Mattord, H. J. (2012). Principles of information security. Boston,
MA, USA: Cengage Learning.
Whitman, M. E., & Mattord, H. J. (2016). Management of information security.
Boston, MA, USA: Cengage Learning.
Wiley, A., McCormac, A., & Calic, D. (2020). More than the individual: Examining
the relationship between culture and Information Security Awareness.
Computers & Security, 88, 101640.
doi:https://doi.org/10.1016/j.cose.2019.101640
Williams, P. A. (2009). Capturing culture in medical information security research.
Methodological Innovations Online, 4(3), 15-26.
164
Wood, C. C. (1995). Writing infosec policies. Computers & Security, 14(1995), 667-
674.
Xue, Y., Liang, H., & Wu, L. (2011). Punishment, justice, and compliance in
mandatory IT settings. Information Systems Research, 22(2), 400-414.
Yoon, C., Hwang, J.-W., & Kim, R. (2019). Exploring factors that influence
students’ behaviors in information security. Journal of Information Systems Education, 23(4), 407-415.