Professional Documents
Culture Documents
Shojaie 2015
Shojaie 2015
Abstract The ISO 27001 is the most adopted international countries are not applicable to Far East. For example, Japanese
information security management standard, by several countries quality control procedures are not successfully accepted in the
and industries. This paper looks closely to the impacts of cultural west [6].
characteristics on different phases of developing ISO 27001,
based on three levels (country, organisational, and personal), The ISMS is a process-based approach, and the scope of
which is especially helpful for Small and Medium Enterprises this paper covers different stages of developing the ISMS fol-
(SMEs). Cultural dimensions can significantly affect organisa- lowing the ISO 27001, such as planning or implementation.
tional administration and achievements such as decision-making, The development of this standard is possibly influenced by
innovation and new practices, work motivation, negotiation, hu- cultural constrains, which may result in not gaining the ex-
man resource practices, and leadership. The results are mainly pected performance outcome. The results of this paper are use-
based on a literature review, such as Hofstede and their relation- ful for organisations (especially multi-national or limited-
ship with the ISO 27001 Annex A. The outcomes of this paper resources), which aim for developing or improving their ISMS
illustrate that national (country level) cultural dimensions have practical efficiency. Considering and being aware of possible
high impact on the success and effectiveness of the ISO 27001 cultural biases, and consequences on the development phases
development phases. of this standard may enhance the resources requirements (such
as human, time or budget).
Keywords ISMS, ISO 27001, Culture.
In this paper, we use three cultural levels (country, organ-
I. INTRODUCTION izational and personal) to analyse the control domains of ISO
The ISO 27001 is an important Information Security Man- 27001. For each level, the relevant literature is studied and
agement (ISM) standard in the information security world. This effective dimensions are selected. Fig. 1 shows the selected
standard puts technology, process and people in place [1] to cultural levels, relevant literature, and the ten cultural dimen-
help organisations safeguarding their information and physical sions, which are discussed throughout paper.
assets in a structured manner. The ISO 27001 is divided into
two main parts. The first part is the requirements definition,
and the second part is the Annex A security controls. The An-
nex A defines an extensive list of 114 controls, which provide a
suitable solution for defining essential countermeasures in any
organisation [2]. The Annex A controls are categorized to 14
groups, based on their common objectives, from domains A.5
(Information security policies) to A.18 (Compliance). Most of
these control domains include distinctive subdomains, which
demonstrate the relevant controls in more details. For example,
A.7 (Human resource security) contains three subdomains
A.7.1 (Prior to employment), A.7.2 (During employment), and
A.7.3 (Termination and change of employment) [2].
The reason of having several security breaches in organisa-
tions is possibly the inability of focusing on non-technical is-
sues, such as procedures and strategies, which can help to re-
duce threats and control damages caused by these breaches [3].
The internal factors such as human resources play an important
role in the effectiveness level of ISMS performance, and cho-
sen controls [4]. However, the ways employees define their
attitudes toward responsibility provide distinctive levels of
severity to information security [5], which may affect controls Figure 1. A general overview of Selected Cultural Dimensions
selection, policies definition and execution in an organisation.
Besides, cultural behavioural restrictions of some western
160
improvement methodology). The UAI plays an important role lead to innovations. The level of monitoring may affect loose
in ISO 27001 success, as this rule-based standard remarkably employees performance as a result of negative emotional
depends on the level of effectiveness and practicality of defined reactions. Employees may also criticize the negative effects of
controls and regulations. The UAI is definable in both country controls on their job performance, which is one of the
and individual level. important factors in adopting the ISO 27001 standard.
b) PDI: High PDI countries believe in centralised B. Country level Discussion
decision-making and tight controls. In high PDI countries, The national characteristics (country level) affect ISO
managers do not normally consult with subordinates, and 27001 adoption and successful implementation. According to
employees pay more attention to superiors and formal norms the ISO survey 2013 [2], ISO 27001 is properly implemented
[14]. Low PDI is based on trust and mostly consider their in both Japan (high UAI) and India (high PDI). The top number
peers and informal norms as behaviour guidance, rather than of certification belongs to Japan, India and the United King-
formal obligations. This assumption can lead to insecure dom (high IDV). There are several factors (such as mother
behaviour [19]. tongue) influencing the adoption rate or success of this stan-
c) IDV: IDV resolve conflicts by using skills and dard in different countries, which are not considered in the
training to integrate peoples interests in an organisation [14]. scope of this paper.
Shared responsibilities help collectivism (low IDV) to improve At the country level, the controls relevant to people in the
their performance. Moreover, collectivism mostly emphasizes Annex A, such as A.6.1.1 (Information security roles and re-
on following guidelines and rules in their tasks, based on the sponsibilities), and the potential effects of UAI, PDI, and IDV
prevention-focus. Defining specific details of each employees dimensions are studied. Hofstede and Globe defined similar
responsibilities, and segregation of duties are preferred in the cultural dimensions. The differences between three dimensions
IDV culture. In this culture, individual benefits of the ISO of UAI, PDI and IDV between these two publications are not
27001 should be illustrated for each employee separately, considered for this paper. Several publications indicate the un-
(such as gaining knowledge and skills as a result of training deniable effects of these dimensions on shaping the organisa-
and awareness programs). However, in a collectivism culture, tional culture, the employees behaviour and management deci-
management can focus more on group benefits of the ISO sions [18]. Comparatively, for the controls relevant to man-
27001 (such as reputation and increasing interested parties agement contribution, the PDI plays an important role, such as
satisfaction). A.5.1.1 (Policies for information security) Annex A control.
2) Globe: Organisational developers, over time, change For defining rules, regulations and policies, the UAI dimension
their behaviour and leadership style according to is effective, such as A.5.1.2 (Review of the policies for infor-
organisational culture to adopt all or most members [15]. The mation security).
most acceptable leadership behaviour determines The IDV affects the way roles and responsibilities are de-
organisational cultural attributes and practices. Globe fined, like the levels of details, generality, overlapping, consul-
investigates the national culture of middle managers, whose tative or autocracy, such as A.6.1.2 (Segregation of duties). An
selected dimensions are UAI (level of procedures and autocrat may define fewer job responsibilities relevant to man-
bureaucratic practices for preventing the future agement duties, as they prefer no interference or conflicts about
unpredictability), PDI (level of expectation and acceptance for managements important decisions. Collectivism may have
unequally shared power), and in-group collectivism (level of more conflicts in their duties, as final output results are based
loyalty and pride for belonging to a group) [15]. The UAI and on the behaviour and performance of all employees, such as
PDI dimensions of Globe and Hofstede are considered to have A.6.1.1 (Information security roles and responsibilities). Also,
a consistent definition, which is sufficient for the purpose of these employees are highly concerned about the interests of
this paper. The collectivism dimension of Hofstede and in- their organisations.
group collectivism dimension of Globe also have the required
level of similarity for the scope of this paper to consider as The countries with high UAI may lead to several layers of
matching concepts. preventive controls, which are not necessarily required. This
3) Gelfand: The Gelfand theory of tightness vs. looseness may result in an inefficient, ineffective and costly project, in
is related to the degree of monitoring, punishment and societal contrary to the ISO 27001 standard objectives. The UAI has a
order in a society [21]. People have more prevention-focus in positive relationship with the ISO 27001 controls defined in the
tight countries, and more promotion concerns in loose Annex A, especially relevant controls to monitoring and
countries. In tight countries, fixed disciplines, strict rules, change management, such as A.14.2.3 (Technical review of
integration and uniformity are highly concerned [4]. So, applications after operating platform changes). The UAI and
adopting the ISO 27001 standard is easier in tight countries IDV both prefer segregation of duties, such as A.6.1.2 (Segre-
compared to loose countries. In case of decision-making, tight gation of duties). The UAI and IDV may also define more re-
countries generate ideas based on the established procedures strictions and limitations for employees committing breaches,
[16]. While, loose people challenge established procedures, by forcing harder penalties compared to collectivism. A.7.2.3
and propose their solution from outside of the system. These (Disciplinary process) is an example for the Annex A controls
countries are more flexible in changing their behaviour relevant to employees rising security issues in an organisation.
according to policies and defined regulations [18]. Loose A high PDI manager may not consult with employees dur-
employees different interpretations about executing policies ing the process of developing policies. They might not ask for
on one hand, may lead to conflicts and on the other hand, may
161
employees opinions or execution experiences, in order to deal types of managers in their assessment systems, which maintain
with organisational security concerns in an efficient way. It a strict and suitable environment, as well as an appropriate
could influence employees motivation for properly imple- base for successful ISMS implementation.
menting these established rules and regulations. In high PDI 2) Handy and Harrison: Handy and Harrison classify
countries, employees constantly seek for managements direc- organisational cultures based on the level of formality and
tion and confirmation about their duties. And high number of centralisation [5]. In the bureaucratic culture, every employee
reports is demanded between different levels of hierarchy. So, has to confirm to organisations rules strictly, like public
these cultures may adopt ISMS easier because of the large sector organisations. These types of organisations can easily
number of required documentation, guidelines and policies adopt ISO 27001 regulations, especially the ones relevant to
defined by management. employees responsibilities, and instructions documentation to
guarantee the implementation. In the autocratic culture,
It is important for management to pay attention to all stages leaders initiate regulations and control employees behaviour
of developing an ISMS, as ISO 27001 is a process based man- strictly. In an autocratic organisation, employees cooperation
agement system. Focusing on one stage of development (such is regularly reviewed and employees highly seek for
as planning) may result in less attention to other stages (such as managements approval, which may help to prevent easily
maintenance), which may raise new security issues. Running detectable errors. On one hand, this type of organisations can
an ISMS continuously, needs detective, preventive and reactive maintain an appropriate cultural environment for ISO 27001
actions to achieve and maintain an acceptable level of security. development. On the other hand, it is more acceptable to
C. Organisation Level Classification define new rules without considering organisational culture
Every organisation has particular instructions for working [17]. In matrix task-based organisations, employees
structure, qualification, career system, and the groups configu- commitment is necessary for taking decisions, which may
ration. The organisational culture is influenced by several fac- improve employees performance.
tors, which interact and influence each other all the time [22]. D. Organisation Level Discussion
This organisational culture is based on shared beliefs, which is At the organisational level, according to the McClellands
communicated between employees and it is responsible for leadership motivation framework, lower level managers with
success or failure of an organisation [17]. The organisational high achievement motivation are more successful [22]. High
culture is based on specific activities in an organisation, such as power managers are interested in influencing people, while
managements visions, and employees behaviour on three high Affiliation motivation is important for making hard deci-
levels of: individual, group and the whole organisation [5]. The sions, without considering employees disapproval [19]. Re-
employees personality affects and is affected by the working garding organisational culture, some believe in taking strong
environment. Adopting organisational policies and motivating decisions, while some other cultures focus on group thinking
employees for making right decisions require a strong leader- and participative methods [23]. The leadership affects the level
ship. The information security culture is influenced by type of of efforts required for an ISO 27001 development, as this stan-
organisational culture, and the effectiveness of implemented dard is not a single dimension technical guideline.
information security components (such as policies) on each
organisational behaviour level [1]. E. Personal level Classification
In this section, the two important references McClelland In this section, the personal characteristics are investigated.
[22], and Handy and Harrison [5] are analysed, and McClel- The personality traits are individual differences, which are sta-
land is further analysed. ble and consistent patterns formed by the culture [6].
1) McClelland: Cultural values are studied in different 1) Normans Big 5: The Normans Big 5 personality
fields of applied psychology and management, such as conflict includes neuroticism (sad and sometimes easily angered),
management, change management, human resource extraversion (energy and positive emotions), openness to
management, working relevant mind-sets, decision-making, experience (searching new experiences and accepting different
negotiation, reward allocation, individual behaviour based on ideas), agreeableness (cooperative), and consciousness (self-
group personality and leadership [22]. Leadership is defined as discipline).
individual ability to motivate, and influence other members to Two dimensions of extraversion and agreeableness are
commit in the organisational performance and success [22]. mostly influenced by culture [6]. Employees with high level of
The main reason for not maintaining an acceptable level of consciousness generally confirm better with security policies or
information security in an organisation is contrary motivations organisational cultural changes. The low level of agreeableness
[1]. McClellands leadership framework is based on three may result in using power for solving conflicts [21]. Agree-
types: affiliation, power, and achievement motivations. A high ableness, openness and consciousness are the most important
achievement motivated manager strongly takes initiating factors, which can influence adoption and efficiency level of
activities, which maintains a high level of commitment, job ISO 27001 different stages development.
involvement, and individual level performance. It can be an F. Personal Level Discussion
suitable leadership motivation for planning ISO 27001.
Because these types of managers mostly take calculated risks At the personal level, Normans Big 5 consciousness di-
and examine working environment adequately, which mension is the best factor to describe job performance. Em-
enhances the process of decisions making (such as control ployees with high level of consciousness are mainly hardwork-
selection). Results and outcomes are the main focus of these ing, punctual and systematically more productive [22]. Consid-
162
ering personal culture, people probably have higher perform-
ance in organisations, which adapt their own values and norms.
Personality and personal motivations are helpful for predicting
individuals job performance [6]. Organisations may select
suitable people regarding Big 5 dimensions based on the re-
quirements of their work settings.
IV. RELATIONSHIP BETWEEN CULTURAL DIMENSIONS AND
ISO 27001
In this section, the relationship between the mentioned cul-
tural dimensions and ISO 27001 controls are discussed. The
relationships between national culture and information security
are thoroughly discussed and compared among various litera-
ture in [24], which is mainly based on the Hofstede cultural
dimensions and the dependent variables. However, the rele-
vance of these cultural dimensions and ISO 27001 develop-
ment is not sufficiently investigated in the literature.
The first part of the ISO 27001 (requirements definition) is
highly influenced by leadership or management skills. The
second part (Annex A) is the main scope of this paper, which
provides an acceptable level of security for any type of an or-
ganisation. To find out the impacts of these cultural dimensions Figure 2. Controls High-level classification
on the controls defined in the Annex A, these three levels
(country, organisational, and personal) of cultural dimensions The high level classification in Fig. 2 demonstrates the
are analysed. Based on this analysis, the main idea (concept) of main focus of the Annex A controls for defining whether the
each cultural dimension is extracted, to find out the main focus cultural dimensions and biases affect the efficiency of ISO
of each level on the controls defined in the Annex A. For better 27001 standard development. These mentioned cultural dimen-
understanding of selected national dimensions, some examples sions possibly influence each group of action; for example pre-
are provided in the Appendix Country cultural dimensions vention is considered as the main focus of the UAI. The pre-
distribution, which indicates a general overview of the se- vention-focus covers more than 2/3 of the total number of con-
lected cultural dimensions and relatively high scored countries. trols. Besides that, technical controls are generally prevention
focused, such as A.10 (Cryptography), which is highly techni-
These discussed cultural dimensions provide appropriate
cal and prevention based. As expected, the Annex A controls
criteria for a structured comparison with the ISO 27001 stan-
are mainly based on prevention. Reaction and detection groups
dard. In addition, these cultural dimensions may enhance the
are considered as the second and third rank. The A.14, A.16
effectiveness of the ISO 27001 standard, concerning described
and A.18 controls of the Annex A are mostly based on the re-
cultural biases in the selection and implementation of required
action concept, which are mainly focused on maintenance ac-
controls for protecting an organisation. Managements percep-
tions. Moreover, the A.17 is particularly focused on reaction
tions possibly influence the definition of formal procedures,
concept, which is focused on business continuity management.
and employees attitudes may affect implementation and de-
The detection group has approximately the same level of dis-
sign phases of the controls. The Annex A controls are mainly
tribution. The A.11 and A.12 are mainly based on the detection
classified to three general groups of detection, prevention and
concept.
reaction, as Fig. 2 shows. Most of the control domains defined
in the Annex A (from A.5 to A.18) are influenced by all these Afterwards, the Annex A controls are analysed thoroughly,
three groups of action. to come up with the aim of the controls based on the
Hofstedes selected dimensions of PDI, UAI, and IDV. These
investigated controls are based on the people category [7], to
define their effects on the process of control selection or im-
plementation. The main goal of almost all the controls is to
eliminate different types of uncertainty in the future. Besides
that, some controls aim to reduce or prevent the likelihood of
future uncertainty. These three selected dimensions influence
most of the control domains with different levels of distribu-
tion, as Fig. 3 shows.
163
Figure 3. Controls classification based on the Hofstede selected dimension Figure 4. Controls classification based on the Gelfand dimension
The Fig. 3 statistics demonstrate the highest level of the As Fig. 4 shows, the focus of the controls is on direct moni-
controls focus is on the UAI dimension, which is an expected toring. As the level of monitoring determines the main differ-
result, as the prevention-focus is greatly associated with the ences between Gelfands tightness-looseness dimensions, the
objectives of the ISO 27001 standard. The controls related to controls are classified based on the monitoring concept (con-
the UAI are highly distributed in different stages of ISO 27001 trols are either affected directly or indirectly). Out of 114 con-
development. Around 95% of the controls relevant to people trols defined in the Annex A, direct monitoring influences 55%
are focused on the UAI dimension. The IDV is on the second of controls. The A.7, A.10, A.16, A.17, and A.18 are mainly
stage of Annex A controls focus. The IDV may have more based on direct monitoring. Adopting these controls may be a
security concerns and they may be more precise about defining challenge for loose countries. Indirect monitoring may be of
guidelines and rules, for example access control polices, such favour for loose countries, while tight countries prefer accurate
as A.9.2.2 (User access provisioning). However, collectivism and detailed procedures of accomplishing tasks. Accordingly,
may have less security concerns about internal unauthorized tight countries may adopt ISO 27001 more than loose coun-
access. The PDI is mainly influenced by the controls relevant tries. Indirect monitoring is the main focus of the A.6, A.11,
to management, and the controls mostly relevant to defining and A.13, which can indicate high level of adoption by both
and communicating policies, such as A.7.2.1 (Management tight and loose countries.
responsibilities). The IDV and PDI have different levels of
distribution between controls. These three cultural dimensions To investigate an organisational culture, McClellands
of Hofstede affect the A.7 controls, all together. These three framework is selected. The controls relevant to managements
dimensions also affect some controls, such as A.7.2.2 (Infor- roles and responsibilities are considered for this aim, which are
mation security awareness, education and training). Hofstedes approximately 18 % of the total controls. McClellands leader-
dimensions do not affect A.10, A.13, A.15 and A.16 at all, as ship framework is highly distributed in the A.6 and A.7 con-
these controls address technical issues and cultural character- trols. These results indicate the controls relevant to the A.6 and
istics usually do not affect technical controls, such as encryp- A.7 domains can be biased by managements perception and
tion methods. Most of the controls are influenced by approxi- decisions. This leadership framework does not affect the A.14,
mately 50% of the UAI dimension, and mixed distribution of A.15, or A.17.
the two other Hofstedes dimensions (IDV and PDI). Normans Big 5 is selected for the personal cultural dimen-
The rest of the analysis was based on all the controls de- sion, which mainly influences the controls relevant to employ-
fined in the Annex A. Generally, the aim of the controls is ees selection, tasks, and duties. These controls are around 44
monitoring directly (by formal rules or policies), such as % of the total controls focus. The Big 5 dimensions have the
A.6.2.1 (Mobile device policy), or monitoring indirectly (by least level of impact on the A.14 and A.17 controls. The A.6,
defining procedures, and the recommended secure methods of A.7, A.9, and A.15 are highly affected by Big 5 personality
completing a task), such as A.9.1.2 (Access to networks and (considering employees characteristics). So, the employees
network services). Consequently, monitoring and uncertainty personality can influence the effectiveness level of these con-
avoidance is to some extent relevant to all types of the controls. trols execution and maintenance.
Fig. 4 presents the focus of the Annex A controls based on Gel- Fig. 5 displays the average of cultural characteristics effects
fands dimensions. on each control domain in the Annex A. It provides an over-
164
view of the entire discussed cultural dimensions in one glance,
regardless of the three defined levels and classifications.
165
first phase of developing the ISO 27001 (this first phase is REFERENCES
called plan in the ISO 27001: 2005 [13]). This pre-phase is [1] Siponen, M., Willison, R.: Information Security Management Standards:
aimed for analysing the current organisational culture, which Problems and Solutions, J. Information & Management. 46, 267270
conducts the ISO 27001 development process in a systematic (2009)
and organised manner, and clarifies the expected results and [2] International Organization for Standardization/ International Electro-
possible difficulties. The pre-phase plan analysis uses resources technical Commission: ISO/IEC 27001:2013: Information Technology
Security Techniques Information Security Management Systems
(such as human, time and budget) more efficiently and practi- Requirements (2013)
cally, which can prevent higher future resources consumption
[3] SANS institute: Developing a Security-Awareness Culture - Improving
and the discussed security concerns. It can considerably en- Security Decision Making (2005)
hance the development success and the adoption rate of this [4] Gelfand, M., Nishii, L., Raver, J.: On the Nature and Importance of
standard, which can prevent possible failure points of the dis- Cultural TightnessLooseness, Journal of Applied Psychology. 91,
cussed cultural biases. This pre-phase plan is also useful for 1225-1244 (2007)
estimating organisations readiness, as it helps remarkably to [5] Veiga, A., Eloff, J.: A framework and Assessment Instrument for
have more concrete and realistic perceptions about the ex- Information Security Culture, J. Computers & Security. 29 (2009)
pected results and resources consumption requirements. [6] Rolland, J.: The Cross-Cultural Generalizability of the Five-Factor
Model of Personality, J. International and Cultural Psychology, 7-28
V. CONCLUSION (2011)
[7] Shojaie, B., Federrath, H., Saberi, I.: Evaluating the Effectiveness of
This paper investigated the impacts of cultural dimensions ISO 27001: 2013 Based on Annex A. In: Ninth International Conference
on the efficiency level of ISO 27001 controls implementation. on Availability, Reliability and Security (ARES), pp. 259 264,
Understanding security issues and potential problems caused Switzerland (2014)
by cultural characteristics, and biases helps organisations to [8] Ashenden, D., Willison, R.: Information Security Management: A
improve the development phases of ISO 27001, concerning Human Challenge?, Information Security Technical Report.
j.istr.2008.10.006 (2008)
required efforts and resources. Being aware of these cultural
effects at the three levels of country, organisational and per- [9] Hirsch, C., Ezingread, J.N.: perceptual and cultural Aspects of Risk
Management Alighnment: a case study, J. Information & Management.
sonal is a requirement for adopting this international standard. JISSec 4 (1) (2008)
This awareness helps greatly to define an appropriate level of [10] Ifinedo, P.: Relationships between Relevant Contextual Influences and
resources and preparations requirements to increase the ISO Information Security Threats and Controls in Global Financial Services
27001 efficiency. Industry, CIT. Journal of Computing and Information Technology.
21(2013)
As the results show, the main focus of the controls is based [11] J. Knapp, K., et al.: Information Security: Management's Effect on
on prevention and uncertainty avoidance. Compliance, adop- Culture and Policy, J. Information Management & Computer Security.
tion and the ability of mapping between the cultural dimen- 14, 24-36 (2006)
sions and the controls defined in the Annex A are also helpful [12] Uebelacker, S.: Security-Aware Organizational Cultures as a Starting
in choosing dimensions from discussed literature at three levels Point for Mitigating Socio-Technical Risks, Germany, 2046-2057(2013)
of country, organisational and personal. The countrys cultural [13] International Organization for Standardization/ International Electro-
characteristics have the highest level of impact on the ISO technical Commission: ISO/IEC 27001:2005: Information technology
Security techniques Information security management systems
27001 adoption and development phases. The UAI dimension Requirements (2005)
as both individual and national characteristics have the highest
[14] Hofstede, G., Minkov, M.: Cultures and Organizations: Software of the
level of effect on the efficiency and benefits of the ISO 27001. Mind. 3rd Edition, McGraw-Hill, USA (2010)
The personal and organisational dimensions affect the controls [15] Javidan, M., House, R.J., Dorfman, P.W., Hanges, P.J., Luque, M.S.:
relevant to employees tasks and managements decisions as Conceptualizing and Measuring Cultures And Their Consequences: A
important factors for the ISO 27001 success. Comparative Review of GLOBEs and Hofstedes Approaches, Journal
of International Business Studies, 898-914 (2006)
This paper recommends a pre-phase plan before commenc- [16] Gelfand, M., et al.: Differences Between Tight and Loose Cultures: A
ing the first phase of the ISO 27001 development as cultural 33-Nation Study, J. Science. 332, 1100-1104 (2011)
analysis, to evaluate the dominant and effective culture of that [17] Maignan, I.: Consumers Perceptions of Corporate Social
particular organization (considering national and organizational Responsibilities: A Cross-Cultural Comparison, Journal of Business
culture mainly) for enhancing the ISO 27001 output results and Ethics. 30, 57-72 (2001)
effectiveness level. The organisations readiness is important [18] Paulsen, C., Coulson T.: Beyond Awareness: Using Business
for adopting any ISMS standard, especially ISO 27001. Adopt- Intelligence to Create a Culture of Information Security, J.
Communications of the IIMA. 11, 35- 54 (2011)
ing and implementing ISO 27001 with high level of benefits
[19] Chen, C., Medlin, B.: A Cross Cultural Investigation of Situational
and achievements require a cultural change. Based on the Information Security Awareness Programs, J. Information Management
gained results, some controls (such as information security & Computer Security. 16 (1993)
policies) are influenced by all ten cultural dimensions, ob- [20] Ifinedo, P.: Information Technology Security Management Concerns in
served in this paper. When a national ISMS standard is de- Global Financial Services Institutions: Is National Culture A
signed, these cultural controls require special attention and care Differentiator?, J. Information Management & Computer Security
for implementation and customization. The mentioned cultural (2009)
dimensions do not highly affect some other controls, such as [21] Kawasaki, R., Hiromatsu, T.: Proposal of a Model Supporting Decision-
cryptography. Making on Information Security Risk Treatment, Int. J. Computer,
Information, Systems and Control Engineering. 8, 545- 551 (2014)
166
[22] McClelland, D., Boyatzis, R.: Leadership Motive Pattern and Long- [24] Ifinedo, P.: The Effects of National Culture on the Assessment of
Term Success in Management, J. Applied Psychology. 67(6), 737-743 Information Security Threats and Controls in Financial Services
(1982) Industry, International Journal of Electronic Business Management. 12,
[23] Koopman, P., Den Hartog D., Konrad, E., et al.: 2010, National Culture 75-89 (2014)
and Leadership Profiles in Europe: Some Results From the GLOBE
Study, European Journal of Work and Organizational Psychology. 8,
503-520 (2010)
167