Users' deviant behaviors, unawareness, misuse, apathy, and resistance are usually the primary reasons for security breaches. Furthermore, there is a significant lack of information security studies on how the cultural phenomenon impacts the intention to comply with information security polices among individuals from different cultural backgrounds. Thus, the objectives of this study were to empirically examine which behavioral and cultural factors influence most in the individual’s security intention to comply with information security policies (ISP), and how complying with these policies can vary between countries and cross-cultural backgrounds. It also sought to understand the competing factors that could potentially impact the security performance by keeping down cybersecurity risks. In order to answer these interrogants, we administered a web-based survey, sent by e-mail and posted on various professional forums, to information security professionals and practitioners from AMER, APAC and EMEA business regions.
We successfully developed a model with high and accurate levels to predict employee’s intention to comply with information security policies. This model was validated with multiple statistical analysis, including PLS-SEM, bootstrapping, and multi-groups analysis to corroborate the existence of differences among cultural-backgrounds. Our results demonstrate that there are significant differences for APAC and EMEA, but not for AMER, in their corresponding relation with the intention to comply with ISP.
We also identified positive and negative correlations between cultural and behavioral factors, which could help to better understand how they can also impact the security posture of an institution. Findings from this study could contribute to existing literature by demonstrating the influential effects of Individualism, Power Distance, Masculinity, Uncertainty Avoidance, and Long-term Orientation on the actual information security compliance behavior from different business regions, a research field that had remained unexplored. Furthermore, given that our results suggest that by complying with ISP, companies can reduce cybersecurity risks, organizations should consider getting their employees to believe that by conducting in a secure way and complying with ISP, can keep security breaches down.