| Researchers in the area information security have argued that organizations need an information security culture over and beyond technological defenses and best practices to ensure the security of information assets in organizations (Dhillon 1995; Siponen 2000; Stanton, Stam, Mastrangelo and Jolton 2005). However, there are few empirical studies on the subject of security culture or security subcultures in organizations. The current study examines security subcultures in organizations. It is based on two premises. The first premise is that security culture in an organization consists of a collection of security subcultures associated with different departments or professional groups in the organization. The second premise is that there may be significant differences between the espoused security subculture and the enacted security subculture in an organization.; The study begins by developing a conceptual framework based on an in-depth literature review. The conceptual framework indicates the factors internal or external to the organization that may affect espoused and enacted security subcultures. Using the conceptual framework for guidance, a qualitative study was conducted. The study included a case study of selected professional groups, i.e., accounting, human resources, marketing (university advancement) and information technology, in a target organization. Corresponding groups of professionals working in diverse organizations, but not in the target organization, were also interviewed. Based on the starting conceptual framework and an analysis of the interviews, a theoretical model of security subcultures in organizations is developed along with propositions.; Initial premises are borne out. There are differences in the security subcultures across different professional groups in an organization. Also, enacted security subcultures do vary from espoused security subcultures, particularly under conditions of high performance pressure. The effects of factors proposed in the initial framework are explored in depth. Additional factors affecting the security subcultures were surfaced in the study. These included middle management, news reports of security incidents and personal experiences with security incidents. The influence of middle management on security subcultures was strong, while that of news reports and personal experiences with security incidents varied across groups.; Overall, the study provides an in depth look at security subcultures that may exist in an organization, and the various factors that influence those subcultures. |
