2015 10th International Conference on Availability, Reliability and Security

The Effects of Cultural Dimensions on the

Development of an ISMS Based on the ISO 27001

Bahareh Shojaie, Hannes Federrath Iman Saberi

University of Hamburg Technical University of Hamburg
{shojaie,federrath}@informatik.uni-hamburg.de iman.saberi@tuhh.de

Abstract The ISO 27001 is the most adopted international countries are not applicable to Far East. For example, Japanese
information security management standard, by several countries quality control procedures are not successfully accepted in the
and industries. This paper looks closely to the impacts of cultural west [6].
characteristics on different phases of developing ISO 27001,
based on three levels (country, organisational, and personal), The ISMS is a process-based approach, and the scope of
which is especially helpful for Small and Medium Enterprises this paper covers different stages of developing the ISMS fol-
(SMEs). Cultural dimensions can significantly affect organisa- lowing the ISO 27001, such as planning or implementation.
tional administration and achievements such as decision-making, The development of this standard is possibly influenced by
innovation and new practices, work motivation, negotiation, hu- cultural constrains, which may result in not gaining the ex-
man resource practices, and leadership. The results are mainly pected performance outcome. The results of this paper are use-
based on a literature review, such as Hofstede and their relation- ful for organisations (especially multi-national or limited-
ship with the ISO 27001 Annex A. The outcomes of this paper resources), which aim for developing or improving their ISMS
illustrate that national (country level) cultural dimensions have practical efficiency. Considering and being aware of possible
high impact on the success and effectiveness of the ISO 27001 cultural biases, and consequences on the development phases
development phases. of this standard may enhance the resources requirements (such
as human, time or budget).
Keywords ISMS, ISO 27001, Culture.
In this paper, we use three cultural levels (country, organ-
I. INTRODUCTION izational and personal) to analyse the control domains of ISO
The ISO 27001 is an important Information Security Man- 27001. For each level, the relevant literature is studied and
agement (ISM) standard in the information security world. This effective dimensions are selected. Fig. 1 shows the selected
standard puts technology, process and people in place [1] to cultural levels, relevant literature, and the ten cultural dimen-
help organisations safeguarding their information and physical sions, which are discussed throughout paper.
assets in a structured manner. The ISO 27001 is divided into
two main parts. The first part is the requirements definition,
and the second part is the Annex A security controls. The An-
nex A defines an extensive list of 114 controls, which provide a
suitable solution for defining essential countermeasures in any
organisation [2]. The Annex A controls are categorized to 14
groups, based on their common objectives, from domains A.5
(Information security policies) to A.18 (Compliance). Most of
these control domains include distinctive subdomains, which
demonstrate the relevant controls in more details. For example,
A.7 (Human resource security) contains three subdomains
A.7.1 (Prior to employment), A.7.2 (During employment), and
A.7.3 (Termination and change of employment) [2].
The reason of having several security breaches in organisa-
tions is possibly the inability of focusing on non-technical is-
sues, such as procedures and strategies, which can help to re-
duce threats and control damages caused by these breaches [3].
The internal factors such as human resources play an important
role in the effectiveness level of ISMS performance, and cho-
sen controls [4]. However, the ways employees define their
attitudes toward responsibility provide distinctive levels of
severity to information security [5], which may affect controls Figure 1. A general overview of Selected Cultural Dimensions
selection, policies definition and execution in an organisation.
Besides, cultural behavioural restrictions of some western

978-1-4673-6590-1/15 $31.00 2015 IEEE 159

DOI 10.1109/ARES.2015.25
 The remainder of the paper is organised as follows: Section
II discusses the motivation of the paper and the current issues
regarding the cultural aspects of ISO 27001 development. Sec-
tion III as the main contribution of the paper, defines cultural
dimensions and reviews the literature relevant to each level, for
finding their relationship to the Annex A controls. Section IV
demonstrates the results of the Annex A controls analysis and
the selected cultural dimensions. Finally, section V concludes
the paper.
II. PROBLEMS AND ISSUES
Peoples characteristics and cultural mind-set influence the
way ISO 27001 controls are selected and implemented.
Awareness of these possible consequences can help to improve
ISMS efficiency and success, reduce possible weaknesses, and
prevent ISO 27001 failure points. Most organisations are fo-
cused on defining effective policies to improve information
security behaviour [3]. However, finding out the reasons for
improperly defined rules can improve employees security be-
haviour, which may be the result of particular cultural biases.
The ISO 27001 adoption in every organisation requires a cul-
tural change, as it changes employees routine (the way they do
their tasks every day), the physical environment (the way they
enter premises, like access control policies), and communica-
tion devices (the way employees interact with information or
other people, like information protection policies). Correspond-
ingly, this paper is mainly based on the controls dealing with
people [7].
It is important to understand how peoples mind-set, per-
ception or behaviour affects the success or failure of ISMS
development. A positive answer to this question leads to fur-
ther cultural and technical researches for shaping these conse-
quences in a desired way to match the organisational require-
ments. Considering the lowest and the highest cultural dimen-
sions impacts on the ISO 27001 development help organisa-
tions to manage their resources more effectively, and decrease
possible undesired cultural biases. The organisational culture
can influence the resources optimization level, business objec-
tive achievements and communication effectiveness at the or-
ganisational and personal level [8]. The relationship between
risk perception and the effectiveness of an ISM strategy (such
as policies) is studied in practice, as the ISO 27001:2013 de-
fines risk assessment as the first step for selecting controls [9].
The main driver for ISMS success is top management sup-
port and information security policy [10]. Management support
and employees responsibilities for suitably selecting and ap-
propriately implementing controls cannot be denied [5]. The
management role [11] in critical decisions for developing ISO
27001, such as approving selected controls and confirming
essential resources is significantly important.
This paper focuses on the cultural aspects of supporting
ISO 27001 to find the reason, why this standard is more effi-
cient in some countries, and not considered adequately profit-
able in other regions. The main cultural effects of adopting a
standard or a technology are based on the country level, which
involves organisational and personal dimensions, at the same
time.
160
Based on the authors knowledge, the relationship between
culture and information security is more or less addressed in
literature. However, the possible effects of cultural characteris-
tics on the ISMS (more specifically ISO 27001) concerning
cultural dimensions are relatively innovative. As a result, the
existing literature must be studied and analysed carefully in
order to find the most suitable and effective cultural dimen-
sions.
III. CULTURAL CLASSIFICATIONS
Culture is the behaviour of an organisation to protect data,
information and knowledge [6], and cultural values influence
performance and learning motivation [12]. There is several
well-known literature, which is focused on the cultural impacts
at three levels of country (such as Hofstede, Globe or Gelfand),
organisation (such as Handy & Harrison or McClelland) and
personal (such as Normans Big 5). These three mentioned
cultural levels help considerably to analyse different features of
human cultural influences on this multi-dimensional ISO
27001 standard, which is influenced by a broad range of factors
(based on the wide range of control domains). The relevant
cultural dimensions of each level are introduced in this section
and their relationship with the ISO 27001 is discussed. After-
wards, selected cultural dimensions are adopted for further
analysis and their possible relationships with the ISO 27001
Annex A are investigated thoroughly [2,13].
A. Country level Classification
In this section, three significant publications [14,15,16] and
the relevant dimensions are analysed at the country level.
1) Hofstede: Personality shows the uniqueness of a person,
while culture shows the uniqueness of human groups [14].
Based on the Hofstede centre, the selected dimensions are
defined as Power Distance (PDI, who decides what),
Individualism (IDV), and Uncertainty avoidance (UAI, how to
make sure what must be done is really done). The role
differences are indicated by PDI (relation to authority), while
regulations and effective controls are described by UAI
(approaches of dealing with conflicts). The PDI and UAI
together define how organisations accomplish their tasks and
duties [17]. The IDV is mostly concerned about adopting
security technologies [18].
a) UAI: To adopt the uncertainty and unpredictability of
peoples behaviour, organisations use technology and rules
[20]. In high UAI countries, it is important to have many
formal and informal rules (for emotional needs), and people do
not feel comfortable without a structured set of rules [14]. On
the other hand, paying not enough attention to the practicability
of these defined rules may lead ISO 27001 to an inefficient and
costly standard. In countries with high UAI, it is more likely to
spend a lot of money on computer technology. They also
organise training courses more frequently for experts [18], as
an important factor in ISO 27001 success. Nevertheless, in low
UAI countries, people cannot cope easily with strict rules and
they are more suitable for doing unclear tasks [19]. Low UAI is
open to different interpretations, which creates innovation. This
can be significantly helpful for flexible parts of the ISO 27001
to select appropriate methods, based on the organisational
culture and requirements (such as risk assessment or continual
improvement methodology). The UAI plays an important role
in ISO 27001 success, as this rule-based standard remarkably
depends on the level of effectiveness and practicality of defined
controls and regulations. The UAI is definable in both country
and individual level.
b) PDI: High PDI countries believe in centralised
decision-making and tight controls. In high PDI countries,
managers do not normally consult with subordinates, and
employees pay more attention to superiors and formal norms
[14]. Low PDI is based on trust and mostly consider their
peers and informal norms as behaviour guidance, rather than
formal obligations. This assumption can lead to insecure
behaviour [19].
c) IDV: IDV resolve conflicts by using skills and
training to integrate peoples interests in an organisation [14].
Shared responsibilities help collectivism (low IDV) to improve
their performance. Moreover, collectivism mostly emphasizes
on following guidelines and rules in their tasks, based on the
prevention-focus. Defining specific details of each employees
responsibilities, and segregation of duties are preferred in the
IDV culture. In this culture, individual benefits of the ISO
27001 should be illustrated for each employee separately,
(such as gaining knowledge and skills as a result of training
and awareness programs). However, in a collectivism culture,
management can focus more on group benefits of the ISO
27001 (such as reputation and increasing interested parties
satisfaction).
2) Globe: Organisational developers, over time, change
their behaviour and leadership style according to
organisational culture to adopt all or most members [15]. The
most acceptable leadership behaviour determines
organisational cultural attributes and practices. Globe
investigates the national culture of middle managers, whose
selected dimensions are UAI (level of procedures and
bureaucratic practices for preventing the future
unpredictability), PDI (level of expectation and acceptance for
unequally shared power), and in-group collectivism (level of
loyalty and pride for belonging to a group) [15]. The UAI and
PDI dimensions of Globe and Hofstede are considered to have
a consistent definition, which is sufficient for the purpose of
this paper. The collectivism dimension of Hofstede and in-
group collectivism dimension of Globe also have the required
level of similarity for the scope of this paper to consider as
matching concepts.
3) Gelfand: The Gelfand theory of tightness vs. looseness
is related to the degree of monitoring, punishment and societal
order in a society [21]. People have more prevention-focus in
tight countries, and more promotion concerns in loose
countries. In tight countries, fixed disciplines, strict rules,
integration and uniformity are highly concerned [4]. So,
adopting the ISO 27001 standard is easier in tight countries
compared to loose countries. In case of decision-making, tight
countries generate ideas based on the established procedures
[16]. While, loose people challenge established procedures,
and propose their solution from outside of the system. These
countries are more flexible in changing their behaviour
according to policies and defined regulations [18]. Loose
employees different interpretations about executing policies
on one hand, may lead to conflicts and on the other hand, may
161
lead to innovations. The level of monitoring may affect loose
employees performance as a result of negative emotional
reactions. Employees may also criticize the negative effects of
controls on their job performance, which is one of the
important factors in adopting the ISO 27001 standard.
B. Country level Discussion
The national characteristics (country level) affect ISO
27001 adoption and successful implementation. According to
the ISO survey 2013 [2], ISO 27001 is properly implemented
in both Japan (high UAI) and India (high PDI). The top number
of certification belongs to Japan, India and the United King-
dom (high IDV). There are several factors (such as mother
tongue) influencing the adoption rate or success of this stan-
dard in different countries, which are not considered in the
scope of this paper.
At the country level, the controls relevant to people in the
Annex A, such as A.6.1.1 (Information security roles and re-
sponsibilities), and the potential effects of UAI, PDI, and IDV
dimensions are studied. Hofstede and Globe defined similar
cultural dimensions. The differences between three dimensions
of UAI, PDI and IDV between these two publications are not
considered for this paper. Several publications indicate the un-
deniable effects of these dimensions on shaping the organisa-
tional culture, the employees behaviour and management deci-
sions [18]. Comparatively, for the controls relevant to man-
agement contribution, the PDI plays an important role, such as
A.5.1.1 (Policies for information security) Annex A control.
For defining rules, regulations and policies, the UAI dimension
is effective, such as A.5.1.2 (Review of the policies for infor-
mation security).
The IDV affects the way roles and responsibilities are de-
fined, like the levels of details, generality, overlapping, consul-
tative or autocracy, such as A.6.1.2 (Segregation of duties). An
autocrat may define fewer job responsibilities relevant to man-
agement duties, as they prefer no interference or conflicts about
managements important decisions. Collectivism may have
more conflicts in their duties, as final output results are based
on the behaviour and performance of all employees, such as
A.6.1.1 (Information security roles and responsibilities). Also,
these employees are highly concerned about the interests of
their organisations.
The countries with high UAI may lead to several layers of
preventive controls, which are not necessarily required. This
may result in an inefficient, ineffective and costly project, in
contrary to the ISO 27001 standard objectives. The UAI has a
positive relationship with the ISO 27001 controls defined in the
Annex A, especially relevant controls to monitoring and
change management, such as A.14.2.3 (Technical review of
applications after operating platform changes). The UAI and
IDV both prefer segregation of duties, such as A.6.1.2 (Segre-
gation of duties). The UAI and IDV may also define more re-
strictions and limitations for employees committing breaches,
by forcing harder penalties compared to collectivism. A.7.2.3
(Disciplinary process) is an example for the Annex A controls
relevant to employees rising security issues in an organisation.
A high PDI manager may not consult with employees dur-
ing the process of developing policies. They might not ask for
employees opinions or execution experiences, in order to deal
with organisational security concerns in an efficient way. It
could influence employees motivation for properly imple-
menting these established rules and regulations. In high PDI
countries, employees constantly seek for managements direc-
tion and confirmation about their duties. And high number of
reports is demanded between different levels of hierarchy. So,
these cultures may adopt ISMS easier because of the large
number of required documentation, guidelines and policies
defined by management.
It is important for management to pay attention to all stages
of developing an ISMS, as ISO 27001 is a process based man-
agement system. Focusing on one stage of development (such
as planning) may result in less attention to other stages (such as
maintenance), which may raise new security issues. Running
an ISMS continuously, needs detective, preventive and reactive
actions to achieve and maintain an acceptable level of security.
C. Organisation Level Classification
Every organisation has particular instructions for working
structure, qualification, career system, and the groups configu-
ration. The organisational culture is influenced by several fac-
tors, which interact and influence each other all the time [22].
This organisational culture is based on shared beliefs, which is
communicated between employees and it is responsible for
success or failure of an organisation [17]. The organisational
culture is based on specific activities in an organisation, such as
managements visions, and employees behaviour on three
levels of: individual, group and the whole organisation [5]. The
employees personality affects and is affected by the working
environment. Adopting organisational policies and motivating
employees for making right decisions require a strong leader-
ship. The information security culture is influenced by type of
organisational culture, and the effectiveness of implemented
information security components (such as policies) on each
organisational behaviour level [1].
In this section, the two important references McClelland
[22], and Handy and Harrison [5] are analysed, and McClel-
land is further analysed.
1) McClelland: Cultural values are studied in different
fields of applied psychology and management, such as conflict
management, change management, human resource
management, working relevant mind-sets, decision-making,
negotiation, reward allocation, individual behaviour based on
group personality and leadership [22]. Leadership is defined as
individual ability to motivate, and influence other members to
commit in the organisational performance and success [22].
The main reason for not maintaining an acceptable level of
information security in an organisation is contrary motivations
[1]. McClellands leadership framework is based on three
types: affiliation, power, and achievement motivations. A high
achievement motivated manager strongly takes initiating
activities, which maintains a high level of commitment, job
involvement, and individual level performance. It can be an
suitable leadership motivation for planning ISO 27001.
Because these types of managers mostly take calculated risks
and examine working environment adequately, which
enhances the process of decisions making (such as control
selection). Results and outcomes are the main focus of these
162
types of managers in their assessment systems, which maintain
a strict and suitable environment, as well as an appropriate
base for successful ISMS implementation.
2) Handy and Harrison: Handy and Harrison classify
organisational cultures based on the level of formality and
centralisation [5]. In the bureaucratic culture, every employee
has to confirm to organisations rules strictly, like public
sector organisations. These types of organisations can easily
adopt ISO 27001 regulations, especially the ones relevant to
employees responsibilities, and instructions documentation to
guarantee the implementation. In the autocratic culture,
leaders initiate regulations and control employees behaviour
strictly. In an autocratic organisation, employees cooperation
is regularly reviewed and employees highly seek for
managements approval, which may help to prevent easily
detectable errors. On one hand, this type of organisations can
maintain an appropriate cultural environment for ISO 27001
development. On the other hand, it is more acceptable to
define new rules without considering organisational culture
[17]. In matrix task-based organisations, employees
commitment is necessary for taking decisions, which may
improve employees performance.
D. Organisation Level Discussion
At the organisational level, according to the McClellands
leadership motivation framework, lower level managers with
high achievement motivation are more successful [22]. High
power managers are interested in influencing people, while
high Affiliation motivation is important for making hard deci-
sions, without considering employees disapproval [19]. Re-
garding organisational culture, some believe in taking strong
decisions, while some other cultures focus on group thinking
and participative methods [23]. The leadership affects the level
of efforts required for an ISO 27001 development, as this stan-
dard is not a single dimension technical guideline.
E. Personal level Classification
In this section, the personal characteristics are investigated.
The personality traits are individual differences, which are sta-
ble and consistent patterns formed by the culture [6].
1) Normans Big 5: The Normans Big 5 personality
includes neuroticism (sad and sometimes easily angered),
extraversion (energy and positive emotions), openness to
experience (searching new experiences and accepting different
ideas), agreeableness (cooperative), and consciousness (self-
discipline).
Two dimensions of extraversion and agreeableness are
mostly influenced by culture [6]. Employees with high level of
consciousness generally confirm better with security policies or
organisational cultural changes. The low level of agreeableness
may result in using power for solving conflicts [21]. Agree-
ableness, openness and consciousness are the most important
factors, which can influence adoption and efficiency level of
ISO 27001 different stages development.
F. Personal Level Discussion
At the personal level, Normans Big 5 consciousness di-
mension is the best factor to describe job performance. Em-
ployees with high level of consciousness are mainly hardwork-
ing, punctual and systematically more productive [22]. Consid-
ering personal culture, people probably have higher perform-
ance in organisations, which adapt their own values and norms.
Personality and personal motivations are helpful for predicting
individuals job performance [6]. Organisations may select
suitable people regarding Big 5 dimensions based on the re-
quirements of their work settings.
IV. RELATIONSHIP BETWEEN CULTURAL DIMENSIONS AND
ISO 27001
In this section, the relationship between the mentioned cul-
tural dimensions and ISO 27001 controls are discussed. The
relationships between national culture and information security
are thoroughly discussed and compared among various litera-
ture in [24], which is mainly based on the Hofstede cultural
dimensions and the dependent variables. However, the rele-
vance of these cultural dimensions and ISO 27001 develop-
ment is not sufficiently investigated in the literature.
The first part of the ISO 27001 (requirements definition) is
highly influenced by leadership or management skills. The
second part (Annex A) is the main scope of this paper, which
provides an acceptable level of security for any type of an or-
ganisation. To find out the impacts of these cultural dimensions Figure 2. Controls High-level classification
on the controls defined in the Annex A, these three levels
(country, organisational, and personal) of cultural dimensions The high level classification in Fig. 2 demonstrates the
are analysed. Based on this analysis, the main idea (concept) of main focus of the Annex A controls for defining whether the
each cultural dimension is extracted, to find out the main focus cultural dimensions and biases affect the efficiency of ISO
of each level on the controls defined in the Annex A. For better 27001 standard development. These mentioned cultural dimen-
understanding of selected national dimensions, some examples sions possibly influence each group of action; for example pre-
are provided in the Appendix Country cultural dimensions vention is considered as the main focus of the UAI. The pre-
distribution, which indicates a general overview of the se- vention-focus covers more than 2/3 of the total number of con-
lected cultural dimensions and relatively high scored countries. trols. Besides that, technical controls are generally prevention
focused, such as A.10 (Cryptography), which is highly techni-
These discussed cultural dimensions provide appropriate
cal and prevention based. As expected, the Annex A controls
criteria for a structured comparison with the ISO 27001 stan-
are mainly based on prevention. Reaction and detection groups
dard. In addition, these cultural dimensions may enhance the
are considered as the second and third rank. The A.14, A.16
effectiveness of the ISO 27001 standard, concerning described
and A.18 controls of the Annex A are mostly based on the re-
cultural biases in the selection and implementation of required
action concept, which are mainly focused on maintenance ac-
controls for protecting an organisation. Managements percep-
tions. Moreover, the A.17 is particularly focused on reaction
tions possibly influence the definition of formal procedures,
concept, which is focused on business continuity management.
and employees attitudes may affect implementation and de-
The detection group has approximately the same level of dis-
sign phases of the controls. The Annex A controls are mainly
tribution. The A.11 and A.12 are mainly based on the detection
classified to three general groups of detection, prevention and
concept.
reaction, as Fig. 2 shows. Most of the control domains defined
in the Annex A (from A.5 to A.18) are influenced by all these Afterwards, the Annex A controls are analysed thoroughly,
three groups of action. to come up with the aim of the controls based on the
Hofstedes selected dimensions of PDI, UAI, and IDV. These
investigated controls are based on the people category [7], to
define their effects on the process of control selection or im-
plementation. The main goal of almost all the controls is to
eliminate different types of uncertainty in the future. Besides
that, some controls aim to reduce or prevent the likelihood of
future uncertainty. These three selected dimensions influence
most of the control domains with different levels of distribu-
tion, as Fig. 3 shows.

163
Figure 3. Controls classification based on the Hofstede selected dimension
The Fig. 3 statistics demonstrate the highest level of the
controls focus is on the UAI dimension, which is an expected
result, as the prevention-focus is greatly associated with the
objectives of the ISO 27001 standard. The controls related to
the UAI are highly distributed in different stages of ISO 27001
development. Around 95% of the controls relevant to people
are focused on the UAI dimension. The IDV is on the second
stage of Annex A controls focus. The IDV may have more
security concerns and they may be more precise about defining
guidelines and rules, for example access control polices, such
as A.9.2.2 (User access provisioning). However, collectivism
may have less security concerns about internal unauthorized
access. The PDI is mainly influenced by the controls relevant
to management, and the controls mostly relevant to defining
and communicating policies, such as A.7.2.1 (Management
responsibilities). The IDV and PDI have different levels of
distribution between controls. These three cultural dimensions
of Hofstede affect the A.7 controls, all together. These three
dimensions also affect some controls, such as A.7.2.2 (Infor-
mation security awareness, education and training). Hofstedes
dimensions do not affect A.10, A.13, A.15 and A.16 at all, as
these controls address technical issues and cultural character-
istics usually do not affect technical controls, such as encryp-
tion methods. Most of the controls are influenced by approxi-
mately 50% of the UAI dimension, and mixed distribution of
the two other Hofstedes dimensions (IDV and PDI).
The rest of the analysis was based on all the controls de-
fined in the Annex A. Generally, the aim of the controls is
monitoring directly (by formal rules or policies), such as
A.6.2.1 (Mobile device policy), or monitoring indirectly (by
defining procedures, and the recommended secure methods of
completing a task), such as A.9.1.2 (Access to networks and
network services). Consequently, monitoring and uncertainty
avoidance is to some extent relevant to all types of the controls.
Fig. 4 presents the focus of the Annex A controls based on Gel-
fands dimensions.
164
Figure 4. Controls classification based on the Gelfand dimension
As Fig. 4 shows, the focus of the controls is on direct moni-
toring. As the level of monitoring determines the main differ-
ences between Gelfands tightness-looseness dimensions, the
controls are classified based on the monitoring concept (con-
trols are either affected directly or indirectly). Out of 114 con-
trols defined in the Annex A, direct monitoring influences 55%
of controls. The A.7, A.10, A.16, A.17, and A.18 are mainly
based on direct monitoring. Adopting these controls may be a
challenge for loose countries. Indirect monitoring may be of
favour for loose countries, while tight countries prefer accurate
and detailed procedures of accomplishing tasks. Accordingly,
tight countries may adopt ISO 27001 more than loose coun-
tries. Indirect monitoring is the main focus of the A.6, A.11,
and A.13, which can indicate high level of adoption by both
tight and loose countries.
To investigate an organisational culture, McClellands
framework is selected. The controls relevant to managements
roles and responsibilities are considered for this aim, which are
approximately 18 % of the total controls. McClellands leader-
ship framework is highly distributed in the A.6 and A.7 con-
trols. These results indicate the controls relevant to the A.6 and
A.7 domains can be biased by managements perception and
decisions. This leadership framework does not affect the A.14,
A.15, or A.17.
Normans Big 5 is selected for the personal cultural dimen-
sion, which mainly influences the controls relevant to employ-
ees selection, tasks, and duties. These controls are around 44
% of the total controls focus. The Big 5 dimensions have the
least level of impact on the A.14 and A.17 controls. The A.6,
A.7, A.9, and A.15 are highly affected by Big 5 personality
(considering employees characteristics). So, the employees
personality can influence the effectiveness level of these con-
trols execution and maintenance.
Fig. 5 displays the average of cultural characteristics effects
on each control domain in the Annex A. It provides an over-
view of the entire discussed cultural dimensions in one glance,
regardless of the three defined levels and classifications.
Figure 5. The relationship between Annex A controls and selected cultural
dimensions
Based on the gained results, the highly affected controls
from the ten cultural dimensions (see Fig. 1) are A.5, A.6, and
A.7 controls (more than 50%). These types of controls are
called cultural controls. However, the least level of influence
from the discussed cultural dimensions is on A.10, A.16, and
A.17 controls (less than 30%). These technical or maintenance
controls are not possibly influenced by the cultural characteris-
tics.
All in all, when a national ISMS standard is developed in a
country, the slightly affected controls can be mapped directly
from ISO 27001, without any particular change. However, the
cultural controls (such as policies or human resource related
controls) are significantly important. Concerning ISO 27001
standard, the Annex A control domains do not have the same
weight in every organisation and every country. Some of these
controls are not considered sufficiently in one country, while
they are highly concerned in other countries (like privacy re-
lated controls). As a result, the development stages of the ISO
27001 are possibly influenced by the cultural characteristics of
the people designing or implementing this standard. These cul-
tural concerns can influence the development phases of ISMS
guidelines and the security polices of an organisation, as these
guidelines mostly share generic, common and almost the same
security concerns. These results are specifically defined for the
ISO 27001 standard.
165
Figure 6. The ratio of 10 cultural dimensions in each control
At last, Fig. 6 presents the ratio of these ten cultural dimen-
sions distributions in comparison to other dimensions, for each
control domain separately. It shows all ten cultural dimensions
with different ratios, influence some controls such as A.5, A.6,
A.7, A.8, and A.18. However, some other controls such as
A.10, A.15, A.16 and A.17 are not influenced by all dimen-
sions, and in average impacted by less than half of the dimen-
sions. All the dimensions with the same level of distribution
affect the A.5. However, the A.10 or A.17 are less cultural
based, and the effects of cultural dimensions can be ignored for
these types of controls.
To sum up, the higher level of focus on one of the dimen-
sions may raise specific cultural biases, which influence the
effectiveness of the ISO 27001 development. For example,
Hofstedes dimensions do not influence the A.10, A.13, A.15,
and A.16. The A.11 is highly based on the indirect monitoring,
detection and prevention focuses, with the same level of distri-
bution. More than that, the A.11 and A.12 controls have the
highest level of prevention-focus. Not surprisingly, the country
level is adopted for assessing the confirmation rate of the ISO
27001, worldwide. It is expected that national cultural charac-
teristics have a considerable impact on the success of this stan-
dard. As the results illustrate, the organisational and personal
characteristics also influence the strength and execution ap-
proaches of developing the ISO 27001. The main focus of the
Annex A controls is on uncertainty avoidance, direct monitor-
ing and prevention. The country level has the highest level of
effect on the development stages of the ISO 27001, following
by personal and organisational cultural characteristics. The PDI
dimension has the least level of impact on the Annex A con-
trols. An empirical study is considered as further steps for this
research.
In conclusion, this paper suggests organisations to consider
one pre-phase (called pre-phase plan) before establishing the
first phase of developing the ISO 27001 (this first phase is
called plan in the ISO 27001: 2005 [13]). This pre-phase is
aimed for analysing the current organisational culture, which
conducts the ISO 27001 development process in a systematic
and organised manner, and clarifies the expected results and
possible difficulties. The pre-phase plan analysis uses resources
(such as human, time and budget) more efficiently and practi-
cally, which can prevent higher future resources consumption
and the discussed security concerns. It can considerably en-
hance the development success and the adoption rate of this
standard, which can prevent possible failure points of the dis-
cussed cultural biases. This pre-phase plan is also useful for
estimating organisations readiness, as it helps remarkably to
have more concrete and realistic perceptions about the ex-
pected results and resources consumption requirements.
V. CONCLUSION
This paper investigated the impacts of cultural dimensions
on the efficiency level of ISO 27001 controls implementation.
Understanding security issues and potential problems caused
by cultural characteristics, and biases helps organisations to
improve the development phases of ISO 27001, concerning
required efforts and resources. Being aware of these cultural
effects at the three levels of country, organisational and per-
sonal is a requirement for adopting this international standard.
This awareness helps greatly to define an appropriate level of
resources and preparations requirements to increase the ISO
27001 efficiency.
As the results show, the main focus of the controls is based
on prevention and uncertainty avoidance. Compliance, adop-
tion and the ability of mapping between the cultural dimen-
sions and the controls defined in the Annex A are also helpful
in choosing dimensions from discussed literature at three levels
of country, organisational and personal. The countrys cultural
characteristics have the highest level of impact on the ISO
27001 adoption and development phases. The UAI dimension
as both individual and national characteristics have the highest
level of effect on the efficiency and benefits of the ISO 27001.
The personal and organisational dimensions affect the controls
relevant to employees tasks and managements decisions as
important factors for the ISO 27001 success.
This paper recommends a pre-phase plan before commenc-
ing the first phase of the ISO 27001 development as cultural
analysis, to evaluate the dominant and effective culture of that
particular organization (considering national and organizational
culture mainly) for enhancing the ISO 27001 output results and
effectiveness level. The organisations readiness is important
for adopting any ISMS standard, especially ISO 27001. Adopt-
ing and implementing ISO 27001 with high level of benefits
and achievements require a cultural change. Based on the
gained results, some controls (such as information security
policies) are influenced by all ten cultural dimensions, ob-
served in this paper. When a national ISMS standard is de-
signed, these cultural controls require special attention and care
for implementation and customization. The mentioned cultural
dimensions do not highly affect some other controls, such as
cryptography.
166
REFERENCES
[1] Siponen, M., Willison, R.: Information Security Management Standards:
Problems and Solutions, J. Information & Management. 46, 267270
(2009)
[2] International Organization for Standardization/ International Electro-
technical Commission: ISO/IEC 27001:2013: Information Technology
Security Techniques Information Security Management Systems
Requirements (2013)
[3] SANS institute: Developing a Security-Awareness Culture - Improving
Security Decision Making (2005)
[4] Gelfand, M., Nishii, L., Raver, J.: On the Nature and Importance of
Cultural TightnessLooseness, Journal of Applied Psychology. 91,
1225-1244 (2007)
[5] Veiga, A., Eloff, J.: A framework and Assessment Instrument for
Information Security Culture, J. Computers & Security. 29 (2009)
[6] Rolland, J.: The Cross-Cultural Generalizability of the Five-Factor
Model of Personality, J. International and Cultural Psychology, 7-28
(2011)
[7] Shojaie, B., Federrath, H., Saberi, I.: Evaluating the Effectiveness of
ISO 27001: 2013 Based on Annex A. In: Ninth International Conference
on Availability, Reliability and Security (ARES), pp. 259 264,
Switzerland (2014)
[8] Ashenden, D., Willison, R.: Information Security Management: A
Human Challenge?, Information Security Technical Report.
j.istr.2008.10.006 (2008)
[9] Hirsch, C., Ezingread, J.N.: perceptual and cultural Aspects of Risk
Management Alighnment: a case study, J. Information & Management.
JISSec 4 (1) (2008)
[10] Ifinedo, P.: Relationships between Relevant Contextual Influences and
Information Security Threats and Controls in Global Financial Services
Industry, CIT. Journal of Computing and Information Technology.
21(2013)
[11] J. Knapp, K., et al.: Information Security: Management's Effect on
Culture and Policy, J. Information Management & Computer Security.
14, 24-36 (2006)
[12] Uebelacker, S.: Security-Aware Organizational Cultures as a Starting
Point for Mitigating Socio-Technical Risks, Germany, 2046-2057(2013)
[13] International Organization for Standardization/ International Electro-
technical Commission: ISO/IEC 27001:2005: Information technology
Security techniques Information security management systems
Requirements (2005)
[14] Hofstede, G., Minkov, M.: Cultures and Organizations: Software of the
Mind. 3rd Edition, McGraw-Hill, USA (2010)
[15] Javidan, M., House, R.J., Dorfman, P.W., Hanges, P.J., Luque, M.S.:
Conceptualizing and Measuring Cultures And Their Consequences: A
Comparative Review of GLOBEs and Hofstedes Approaches, Journal
of International Business Studies, 898-914 (2006)
[16] Gelfand, M., et al.: Differences Between Tight and Loose Cultures: A
33-Nation Study, J. Science. 332, 1100-1104 (2011)
[17] Maignan, I.: Consumers Perceptions of Corporate Social
Responsibilities: A Cross-Cultural Comparison, Journal of Business
Ethics. 30, 57-72 (2001)
[18] Paulsen, C., Coulson T.: Beyond Awareness: Using Business
Intelligence to Create a Culture of Information Security, J.
Communications of the IIMA. 11, 35- 54 (2011)
[19] Chen, C., Medlin, B.: A Cross Cultural Investigation of Situational
Information Security Awareness Programs, J. Information Management
& Computer Security. 16 (1993)
[20] Ifinedo, P.: Information Technology Security Management Concerns in
Global Financial Services Institutions: Is National Culture A
Differentiator?, J. Information Management & Computer Security
(2009)
[21] Kawasaki, R., Hiromatsu, T.: Proposal of a Model Supporting Decision-
Making on Information Security Risk Treatment, Int. J. Computer,
Information, Systems and Control Engineering. 8, 545- 551 (2014)
[22] McClelland, D., Boyatzis, R.: Leadership Motive Pattern and Long- [24] Ifinedo, P.: The Effects of National Culture on the Assessment of
Term Success in Management, J. Applied Psychology. 67(6), 737-743 Information Security Threats and Controls in Financial Services
(1982) Industry, International Journal of Electronic Business Management. 12,
[23] Koopman, P., Den Hartog D., Konrad, E., et al.: 2010, National Culture 75-89 (2014)
and Leadership Profiles in Europe: Some Results From the GLOBE
Study, European Journal of Work and Organizational Psychology. 8,
503-520 (2010)

Appendix: Country cultural dimensions distribution

Dimension
UAI [11] PDI [11] IDV [11] Tight [20] Loose [20]
Country
Sample 1 Belgium Guatemala Canada India Ukraine
Sample 2 Japan Malaysia Hungary Malaysia Estonia
Sample 3 Greece China USA Pakistan Hungary
Sample 4 Russia Panama Australia Singapore Brazil
Sample 5 France Philippines UK S. Korea Netherlands
The full description of each dimension is provided in the Section III, Subsection A. Country level Classification. This table
indicates five selected countries, based on the country level cultural dimensions. These selected countries are relatively high in
that particular cultural dimension. Each row presents a particular dimension, and each column relatively shows five selected high
scored countries.

167