The “Right” recipes for security culture: a competing values model perspective

This study argues that the effect of perceived organizational culture on the formation of security-related subjective norms and the level of compliance pressure will vary based on how the employees perceive their organization's cultural values. These perceptions reflect on the assumptions and principles that organizations use to guide their security-related behaviors. To make these arguments, we adopt the competing values model (CVM), which is a model used to understand the range of organizational values and resulting cultural archetypes.

This study conducted a survey of working professionals in the banking and higher education industries and used partial least squares (PLS)-structural equation model (SEM) to analyze the data. In a series of post hoc analyses, we ran a set of multi-group analyses to compare the perceived organizational cultural effects between the working professionals in both industries.

Our study reveals that perceived organizational cultures in favor of stability and control promoted more positive security-related behaviors. However, the different effects were more pronounced when comparing the effects between the working professionals in both industries.

This study is one of the few that examines which cultural archetypes are more effective at fostering positive security behaviors. These findings suggest that we should be cautious about generalizing the effects of organizational culture on security-related actions across different contexts and industries.