The impacts of organizational culture on information security culture: a case study

Information security cannot rely solely on technology. More attention must be drawn to the users’ behavioral perspectives regarding information security. In this study, we propose that a culture encouraging employees to comply with information policies related to collecting, preserving, disseminating and managing information will improve information security. Information security culture is believed to be influenced by an organization’s corporate culture (or organizational culture). We examine how this occurs through an in-depth case study of a large organization. We present a relationship map for organizational culture and information security practices. Six propositions are drawn from the findings of our interviews and discussions. Managerial insights, such as how to measure an organization’s information security culture and subsequently determine what perspective(s) is important for the organization to improve, are also discussed.     

Requirements engineering for organizational transformation

Traditional approaches to requirements elicitation stress systematic and rational analysis and representation of organizational context and system requirements. This paper argues that the introduction of any computer-based system to an organization transforms the organization and changes the work patterns of the system's users in the organization. These changes interact with the users' values and beliefs and trigger emotional responses which are sometimes directed against the computer-based system and its proponents. The paper debunks myths about how smoothly such organizational transformations take place, describes case studies showing how organizational transformation really takes place, and introduces and confirms by case studies some guidelines for eliciting requirements and the relevant emotional issues for a computer-based system that is being introduced into an organization to change its work patterns.     

Effects of organizational culture on a large scale IT introduction effort: a case study of the Norwegian army's EDBLF project

This paper documents a process of introducing new information technology (IT) within the Norwegian army. The research suggests that in the intersection between an organization and IT what emerges as most interesting is the organizational culture. Some of the characteristics of the Norwegian army culture, such as using a particular transfer and application scheme and the use of refreshers training, contributed to a high job rotation, causing instability within the organization and jeopardising the day-to-day work routines within the army units. This part of the Norwegian army's culture combined with an IT system designed in a way that spliced jobs and deskilled workers, while at the same time creating dependencies between different jobs within the organization, contributed to upholding a particular functioning of the organization. Underlying this is the assumption made by the army that as long as the technology is uniform one person can easily be substituted for another. This paper argues that the organizational culture of the Norwegian army was in many ways a hindrance to a successful adoption of IT. Recognising the influence of organizational culture is important, but more empirical studies of organizational culture influence are needed to support the diverse findings presented here and would be a viable and important task in the years to come for anyone interested in a successful adoption of IT systems.     

Cultural analysis of the organizational consequences of information technology

For over 30 years, the literature on organizations has carried accounts of the potential for information technology to transform organizational structures and processes. Despite this enduring interest in the relationship between information technology and organizations, the variety of actual consequences for organizations has not been satisfactorily explained. In this paper, we propose the use of cultural analysis to understand the organizational consequences of information technology. Analyses that use the construct of culture meet two important requisites for understanding and resolving the contradictory empirical findings. First, cultural analysis emphasizes the importance of socially constructed meanings and their relationship to information technology's material properties. From this perspective, technology's social consequences are largely indeterminate because of the variety of meanings that technology can assume. Cultural analysis thus removes the temptation to consider information technology as an autonomous determinant of organizational form and process. Second, cultural analysis can address information technology's role in both the persistence and the transformation of organizations. Information technology can help preserve institutionalized practices in an organization, and it can operate as a catalyst for change. Because cultural analysis encompasses these opposing organizational processes, it helps to explain the diversity of outcomes experienced after information technology is implemented.     

The human immune system as an information systems security reference model

The controls an organization places in its information systems are largely determined by its employee's thinking. Employee awareness of system vulnerabilities and the recognition that information is a strategically important organizational resource are two central ideas critical to effective information systems security thinking. For many years a military physical security environment has been the reference model (or a way of thinking) to which people refer when attempting to organize their thoughts about the complex systems security environment. While certainly still of use, this reference model has severely limited the thinking of those of us in the systems security field. This article defines both a new reference model with which people can view information systems security and several reasons why this new reference model should be adopted.     

A context-based model for Knowledge Management embodied in work processes

Knowledge Management has become a prominent subject for organizations, but often the information that flows in a well-defined design work process is not characterized and treated in such a way as to promote its reuse. We argue that context is a fundamental information resource for improving how activities and interactions are understood and carried on. Our premise is that it is important for organizational learning that decisions, solutions, discussions and actions executed in work processes should be retrievable. We describe an environment that supports the cycle of creating and dealing with information about activities and interactions, focusing on their context. A formal ontology-based representation of context is presented to support the use of this environment. Two case studies are described and their results analyzed. The goal of this paper is to discuss and specify mechanisms that can be used to collect contextual information within such an environment.     

Organizing for computer integrated manufacturing

Good organizational structure design is increasingly important in Computer Integrated Manufacturing (CIM) environments. It can reduce problems due to the changing roles of organizational units and information technologies. This paper presents observations about organizational structures for CIM and discusses the basic approaches. An initial framework for evaluating CIM organizational structures is proposed and is used to evaluate the basic structures.     

Dirty laundry: privacy issues for IT professionals

Individual online privacy, already a hot button in the political landscape, is no less important for IT professionals. In 1999, the authors distributed a survey to 500 data workers in the healthcare and financial fields. The results of the study suggest that privacy concerns are not confined to consumers, but the employees who access and collect the data are concerned as well. The survey posed 15 questions regarding the responders' attitudes about the organizational practices at their organization. The data collected from the survey reveals that healthcare workers are concerned about organizational practices causing errors in patient information, as well as unsanctioned use of patient information. Similarly, the survey research indicates that employees of financial institutions are concerned with organizational practices that allow improper access to customer information. Given the results in these two fields, IT workers and managers in all fields must be prepared to deal with this issue, for it is likely to confront them soon     

Organization Mining Using Online Social Networks

Complementing the formal organizational structure of a business are the informal connections among employees. These relationships help identify knowledge hubs, working groups, and shortcuts through the organizational structure. They carry valuable information on how a company functions de facto. In the past, eliciting the informal social networks within an organization was challenging; today they are reflected by friendship relationships in online social networks. In this paper we analyze several commercial organizations by mining data which their employees have exposed on Facebook, LinkedIn, and other publicly available sources. Using a web crawler designed for this purpose, we extract a network of informal social relationships among employees of targeted organizations. Our results show that it is possible to identify leadership roles within the organization solely by using centrality analysis and machine learning techniques applied to the informal relationship network structure. Valuable non-trivial insights can also be gained by clustering an organization’s social network and gathering publicly available information on the employees within each cluster. Knowledge of the network of informal relationships may be a major asset or might be a significant threat to the underlying organization.     

Determinants of firms' knowledge management system implementation: An empirical study

As knowledge becomes an increasingly valuable and important organizational asset, many firms anticipate that implementing the knowledge management systems (KMS) will effectively support and enhance organizational knowledge management activities. Even some firms regard KMS as an emerging and powerful source of competitive advantages.However, the implementation of KMS differs from that of traditional enterprise information systems. The implementation of KMS is difficult and risky since these systems are unstructured and so technologically innovative. Thus, effort is required to identify determinants affecting KMS implementation in businesses.Based on innovation diffusion theory and technology-organization-environment framework, this study develops and tests an integrated model of knowledge management systems implementation for businesses. Survey data were collected from 291 businesses in Taiwan. Confirmatory factor analysis and logistic regression technique were used test the hypothesized relationships. The results show that technological innovation factors (perceived benefits, complexity, and compatibility), organizational factors (top management support, organizational culture), and environmental factors (competitive pressure) are significant influences on KMS implementation in firms. Finally, the implications and future research on KMS implementation are discussed.     

Comparing appropriate decision support of human resource practices on organizational performance with DEA/AHP model

The issue of human resource practices has been widely applied to examine the organizational performance for multiple industries. Few researches have realized that the relationships of human resource practices to organizational performance in different culture types support the meaningful information. In this paper, an Analytical Hierarchical Process/Data Envelopment Analysis (AHP/DEA) model that helps in investigating the associated importance of human resource practices and organizational performance variables is proposed. This research involving 129 companies in the Taiwanese electronics industry and 112 branches in China are used to demonstrate and compare the impact of human resource practices on organizational performance in each organizational type with the proposed AHP/DEA model. The study contains five human resource practice variables and seven organizational performance variables through Linear Structure Relation (LISREL). The main findings suggest: (1) asking employee to participate company activities, because doing so may greatly consume the employees’ relationships in each organizational type for both the Taiwanese and branches electronics industry; and (2) the importance of employee relations is more significant in stratum and rational culture than in development and common culture regardless of Taiwanese companies or branches in China. Discussion and implication with respect to decision support are also addressed.     

An empirical study of organizational culture and network-based computer use

This study investigated the influence of organizational culture on computer-mediated communication and information access (CMCIA). A validated instrument to assess CMCIA and organizational culture was used. Organizational culture was treated as a shared set of norms and values. Meaningful CMCIA occurs when computer-network technology is maximally exploited to amplify individual information processing actions to foster organizational excellence.CMCIA was measured by a weighted user-satisfaction importance rating. Both organizational culture and CMCIA were measured empirically by administering questionnaires to respondents in organizations that use computer networks. A non-experimental field study was employed to test the hypothesis that particular types of organizational cultures foster computer-network effectiveness while other types hinder it. The usable response rate was 45%. Eight organizations were used for data analysis.Statistically significant findings showed that organizational culture interacts with the degree of use to affect user satisfaction with CMCIA. In task-oriented organizations, user satisfaction with CMCIA was positively related to degree of use. People-oriented organizations displayed a negative relationship between degree of use and user satisfaction with CMCIA. These results can be used when designing implementation strategies for information systems that have the potential to affect whole departments or organizations.     

How different connectivity patterns of individuals within an organization can speed up organizational learning

Knowledge sharing within a cooperative organization is an important issue since the power of its outcome has been the principal source of competitive advantage over the competitors in the market. However, without a proper collective knowledge management, its utilization as a strategic weapon or competitive advantage becomes difficult and inefficient. From an organizational perspective, the most important aspect of knowledge management is to transfer knowledge. In this regards, organizations must adopt structures that allow them to create and transfer more knowledge. Organizational communication structure affects the nature of human interactions and information flow which in its own turn can lead to a competitive advantage in the knowledge economy. However, in addition to that, social relationships between individuals in an organization can also be utilized to produce positive returns. In this article we emphasize the role of individual structural importance within an organizational informal communication structure as a mechanism for knowledge flow and speeding up organizational learning. Our experimental results indicate the fact that structural position of individuals within their informal communication networks can help the network members to have a better access to ongoing information exchange processes in the organization. The results of our analyses also show that organizational learning through an informal communication network of people in the form of scale-free connectivity pattern is faster comparing to the small-world connectivity style.     

Cultivating proactive information security behavior and individual creativity: The role of human relations culture and IT use governance

This study developed the concept of proactive information security behavior and examined its connections with individual creativity and two organizational context factors: human relations culture (values and beliefs that promote participation and autonomy in decision-making) and IT use governance. Reliability and validity of this construct were tested with survey data. Findings of this study support its positive relationship with individual creativity, human relations culture, and IT use governance, and show partial mediation effects of individual creativity on the relationships between human relations culture and IT use governance, and proactive information security behavior. Theoretical and practice implications are discussed.     

Creating an Effective Information Environment: Management Perspectives and Personnel

For an information environment to be truly effective, its resources must be managed so that they are in synch with the overall organizational goals and strategies. the first part in a two-part series, this article lays the foundation for effective resource management as well as the management of the most important IT resource, its personnel.     

Average-case analysis of VCG with approximate resource allocation algorithms

The Vickrey-Clarke-Groves (VCG) mechanism offers a general technique for resource allocation with payments, ensuring allocative efficiency while eliciting truthful information about preferences. However, VCG relies on exact computation of an optimal allocation of resources, a problem which is often computationally intractable, and VCG that uses an approximate allocation algorithm no longer guarantees truthful revelation of preferences. We present a series of results for computing or approximating an upper bound on agent incentives to misreport their preferences. Our first key result is an incentive bound that uses information about average (not worst-case) performance of an algorithm, which we illustrate using combinatorial auction data. Our second result offers a simple sampling technique for amplifying the difficulty of computing a utility-improving lie. An important consequence of our analysis is an argument that using state-of-the-art algorithms for solving combinatorial allocation problems essentially eliminates agent incentives to lie.     

Cultivating security culture for information security success: A mixed-methods study based on anthropological perspective

The continuous information security failures in organizations have led focus toward organizational culture. It is argued that the development of culture of information security would subsequently lead to a secure organization. However, limited studies have been conducted to understand information security culture. This study aims to understand information security culture and its impact on success with information security efforts in an organization. The research model is based on the theory of primary message systems, which is an established theory from the anthropology discipline. We followed a mixed-methods research design involving two phases of the study. In the first phase, 25 semi-structured interviews with experienced cybersecurity practitioners were conducted to develop the research model. The second phase empirically validated the research model using survey data from 473 participants who completed a web-based survey in Southeast USA from multiple companies. For data analysis, we employed Partial Least Squares - Structural Equation Modeling using SmartPLS. Our findings indicate that group cohesiveness, professional code, information security awareness, and informal work practices have significant influence on information security culture. Further, the security culture has positive impact on information security success perception. The contribution of this research lies in establishing the role of security culture and information security awareness in contributing toward information security success.     

Google and Privacy

Abstract

Google has emerged as the preeminent Internet search engine, but more important, it has achieved an iconic status. It is solidly entrenched in our language and popular culture. But there is a darker side to Google. Google collects personal information about its users, and it aggregates third party information more effectively than many third world governments. While there has been no abuse (that we know of) by Google of personal information, that potential exists, and there are numerous instances of third parties using Google to aggregate personal information for dubious purposes.     

Organizational identity and information systems: how organizational ICT reflect who an organization is

The work reported here contributes to our understanding of organizational identity regarding its influence on organizational action related to the development of information and communications technologies (ICT). The empirical basis of this work comes from case studies of integrated criminal justice information systems (IJIS). IJIS are organizational and technological ensembles created to facilitate inter-organizational information sharing among criminal justice agencies. The focus of these case studies was to examine how organizational identity shapes organizational ICT. This research found that organizational identity shapes an organization’s ICT-related processes and is reflected in the material configurations of an organization’s ICT; and that organizations with different identities exhibit those differences in their ICT. Three implications of this research are that organizational identity serves as both an enabler and constraint on organizational ICT development; organizational identity commitments will likely serve as a barrier to large-scale integration of different organizations’ systems; organizational identity is relatively static and difficult to change.     

GIS应用工程中的组织设计探讨

从GIS与组织管理之间关系、GIS与组织变革之间关系的讨论出发,倡议在GIS应用项目规划中进行专门的组织设计。组织设计是围绕组织管理、业务流程、组织变革、项目治理等方面所进行的设计工作。组织设计有两个目标：既满足GIS应用的基本需求,又要求组织有计划、有步骤地引进技术,主动改进组织的目标、战略、结构和流程。GIS组织设计的基本内容包括：组织结构设计、信息维护与共享设计、系统维护设计、人力资源规划、信息处理流程设计、政篆设计、项目实施组织设计等。