Universal and Culture-dependent Employee Compliance of Information Systems Security Procedures

Employee information systems security behavior (ISSB) is a key concern for organizations. Previous studies have proposed models aimed at explaining employees' ISSB and related behavioral change. While these studies have contributed to our understanding of the reasons for ISSB (change), there is a lack of research related to cultural differences and distinguishing cultural-specific reasons for ISSB. This paper takes the first step in addressing this research gap by theorizing about employee ISSB based on empirical material collected in Finland, Switzerland, the UAE, and China. This paper suggests that ISSB constitute a learned information systems security (ISS) conventions that may be somewhat generic across different cultures; however, different paradigms of learning seem to be effective in different cultures for supporting behavioral change. From a theoretical perspective, the results help us to understand why employees comply or do not comply with ISS procedures. This study also highlights the need for future research on employee compliance to understand cultural differences regarding key ISS interventions. Finally, from a managerial perspective, the theory suggests that different cultures require different ISS interventions.