Exploring the Moderating Effect of Organizational Culture on Employees Information Security Compliance
No Thumbnail Available
Date
2025-02
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Addis Ababa University
Abstract
Employee non-compliance with Information Security Policies (ISPs) poses a significant and ongoing threat to organizational security, especially in developing countries like Ethiopia. Despite the implementation of formal policies and technical safeguards, organizations continue to experience insider threats resulting from behavioral non-compliance. This dissertation explores the factors that influence employees' intentions to comply with ISPs, focusing on how motivational drivers and organizational culture shape compliance intentions within specific organizational contexts.
Building upon Rational Choice Theory (RCT) and the Competing Values Framework (CVF), this study introduces an integrated model that investigates four motivational factors formal sanctions, perceived benefits, moral beliefs, and shame as predictors of compliance intentions. It also examines how these factors are moderated by four dimensions of organizational culture: consistency, cooperativeness, innovativeness, and effectiveness. By focusing on compliance intentions rather than actual behaviour, the study offers a more precise analysis of how motivational and cultural influences impact employee decisions, aligning with theory-driven approaches in organizational behaviour research.
The research employed a quantitative approach, surveying 553 employees from organizations across Ethiopia that had established ISPs. The collected data were analysed using Partial Least Squares Structural Equation Modeling (PLS-SEM) to test the hypothesized relationships and the moderating effects of organizational culture on compliance intentions.
The findings reveal that moral beliefs, formal sanctions, and perceived benefits are significant predictors of employees’ intentions to comply with ISPs. More importantly, these relationships are strongly influenced by organizational culture. For instance, a culture of consistency amplifies the impact of both formal sanctions and moral beliefs on compliance intentions, while other cultural dimensions, such as cooperativeness and innovativeness, show more context-dependent effects.
This research makes several important theoretical contributions. It extends Rational Choice Theory by integrating organizational culture as a moderator, challenging the conventional view that compliance decisions are purely rational and individualistic. Additionally, it advances the Competing Values Framework by operationalizing its cultural dimensions at the individual level, a method seldom used in previous information security research. This approach addresses gaps in existing theories that overlook the intersection of motivational drivers and cultural contexts, particularly in non-Western, resource-constrained environments.
From a practical standpoint, the study provides valuable insights for policymakers and organizational leaders. It underscores the necessity of aligning formal compliance mechanisms with organizational culture, particularly cultural values that promote consistency and ethical behaviour. Such alignment can enhance the success of ISP implementation and reduce the risk of insider threats, offering a culturally grounded strategy for strengthening information security in developing nations.
Description
Keywords
Information Security, Information Security Policy, Intention to Comply with ISP, Insiders, Organizational Culture, Rational Choice theory, and Computing Value Framework