{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,8,2]],"date-time":"2025-08-02T18:01:41Z","timestamp":1754157701937,"version":"3.41.2"},"reference-count":53,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2006,5,1]],"date-time":"2006-05-01T00:00:00Z","timestamp":1146441600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2006,5,1]]},"abstract":"Purpose<\/jats:title>The purpose of this paper is to examine the potential of cultural theory as a tool for identifying patterns in the stakeholders' perception of risk and its effect on information system (IS) risk management.<\/jats:p><\/jats:sec>Design\/methodology\/approach<\/jats:title>Risk management involves a number of human activities which are based on the way the various stakeholders perceive risk associated with IS assets. Cultural theory claims that risk perception within social groups and structures is predictable according to group and individual worldviews; therefore this paper examines the implications of cultural theory on IS risk management as a means for security experts to manage stakeholders perceptions.<\/jats:p><\/jats:sec>Findings<\/jats:title>A basic theoretical element of cultural theory is the grid\/group typology, where four cultural groups with differentiating worldviews are identified. This paper presents how these worldviews affect the process of IS risk management and suggests key issues to be considered in developing strategies of risk management according to the different perceptions cultural groups have.<\/jats:p><\/jats:sec>Research limitations\/implications<\/jats:title>The findings of this research are based on theoretical analysis and are not supported by relevant empirical research. Further research is also required for incorporating the identified key issues into information security management systems (ISMS).<\/jats:p><\/jats:sec>Originality\/value<\/jats:title>IS security management overlooks stakeholders' risk perception; for example, there is no scheme developed to understand and manage the perception of IS stakeholders. This paper proposes some key issues that should be taken into account when developing strategies for addressing the issue of understanding and managing the perception of IS stakeholders.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220610670378","type":"journal-article","created":{"date-parts":[[2006,7,4]],"date-time":"2006-07-04T05:22:50Z","timestamp":1151990570000},"page":"198-217","source":"Crossref","is-referenced-by-count":22,"title":["Formulating information systems risk management strategies through cultural theory"],"prefix":"10.1108","volume":"14","author":[{"given":"Aggeliki","family":"Tsohou","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Maria","family":"Karyda","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Spyros","family":"Kokolakis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Evangelos","family":"Kiountouzis","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022031720073179900_b1","doi-asserted-by":"crossref","unstructured":"Altman, Y. and Baruch, Y. (1998), \u201cCultural theory and organizations: analytical method and cases\u201d, Organization Studies, Vol. 19 No. 5, pp. 769\u201085.","DOI":"10.1177\/017084069801900503"},{"key":"key2022031720073179900_b2","doi-asserted-by":"crossref","unstructured":"Baskerville, R. (1991), \u201cRisk analysis: an interpretive feasibility tool in justifying information systems security\u201d, European Journal of Information Systems, Vol. 1 No. 2, pp. 121\u201030.","DOI":"10.1057\/ejis.1991.20"},{"key":"key2022031720073179900_b3","doi-asserted-by":"crossref","unstructured":"Bella, D. (1987), \u201cOrganizations and systematic distortion of information\u201d, Journal of Professional Issues in Engineering, Vol. 113 No. 4, pp. 360\u201070.","DOI":"10.1061\/(ASCE)1052-3928(1987)113:4(360)"},{"key":"key2022031720073179900_b4","doi-asserted-by":"crossref","unstructured":"Boholm, A. (1996), \u201cRisk perception and social anthropology: a critique of cultural theory\u201d, Ethnos, Vol. 61 Nos 1\/2, pp. 64\u201084.","DOI":"10.1080\/00141844.1996.9981528"},{"key":"key2022031720073179900_b5","unstructured":"Computer Security Institute (2005), CSI\/FBI Computer Crime and Security Survey, CSI Inc., Miamai, OK."},{"key":"key2022031720073179900_b6","doi-asserted-by":"crossref","unstructured":"Cresson Wood, C. (1995), \u201cInformation security awareness raising methods\u201d, Computer Fraud & Security Bulletin, Vol. 1995 No. 6, pp. 13\u201015.","DOI":"10.1016\/0142-0496(95)80197-9"},{"key":"key2022031720073179900_b7","doi-asserted-by":"crossref","unstructured":"Cresson Wood, C. (1997), \u201cPolicies alone do not constitute a sufficient awareness effort\u201d, Computer Fraud & Security, Vol. 1997 No. 12, p. 14.","DOI":"10.1016\/S1361-3723(00)80007-X"},{"key":"key2022031720073179900_b9","doi-asserted-by":"crossref","unstructured":"Dake, K. (1991), \u201cOrienting dispositions in the perception of risk: an analysis of contemporary worldviews and cultural biases\u201d, Journal of Cross\u2010cultural Psychology, Vol. 22 No. 1, pp. 61\u201082.","DOI":"10.1177\/0022022191221006"},{"key":"key2022031720073179900_b10","doi-asserted-by":"crossref","unstructured":"Dake, K. (1992), \u201cMyths of nature: culture and the social construction of risk\u201d, Journal of Social Issues, Vol. 48 No. 4, pp. 21\u201037.","DOI":"10.1111\/j.1540-4560.1992.tb01943.x"},{"key":"key2022031720073179900_b8","doi-asserted-by":"crossref","unstructured":"Dake, K. and Wildavsky, A. (1991), \u201cIndividual differences in risk perception and risk\u2010taking preferences\u201d, in Garrick, B.J. and Gekler, W.C. (Eds), The Analysis, Communication, and Perception of Risk, Plenum Press, New York, NY, pp. 15\u201024.","DOI":"10.1007\/978-1-4899-2370-7_2"},{"key":"key2022031720073179900_b11","doi-asserted-by":"crossref","unstructured":"Deery, H. (1999), \u201cHazards and risk perception among young novice drivers\u201d, Journal of Safety Research, Vol. 30 No. 4, pp. 225\u201036.","DOI":"10.1016\/S0022-4375(99)00018-3"},{"key":"key2022031720073179900_b41","unstructured":"DFS (2005), SBA Security: SBA\u2010Scenario, Swedish Information Processing Society, available at: www.dfs.se\/products\/sbaeng\/method\/ (accessed 27 September 2005)."},{"key":"key2022031720073179900_b14","unstructured":"Douglas, M. (1978), \u201cCultural bias\u201d, Occasional Paper No. 35, Royal Anthropological Institute of Great Britain and Ireland."},{"key":"key2022031720073179900_b13","unstructured":"Douglas, M. (1992), Risk and Blame: Essays in Cultural Theory, Routledge, London."},{"key":"key2022031720073179900_b12","doi-asserted-by":"crossref","unstructured":"Douglas, M. and Wildavsky, A. (1982), Risk and Culture: An Assay on the Selection of Technological and Environmental Dangers, University of California Press, Berkeley, CA.","DOI":"10.1525\/9780520907393"},{"key":"key2022031720073179900_b15","doi-asserted-by":"crossref","unstructured":"Finucane, M. and Holup, J. (2005), \u201cPsychosocial and cultural factors affecting the perceived risk of genetically modified food: an overview of the literature\u201d, Social Science & Medicine, Vol. 60, pp. 1603\u201012.","DOI":"10.1016\/j.socscimed.2004.08.007"},{"key":"key2022031720073179900_b16","doi-asserted-by":"crossref","unstructured":"Frosdick, S. (1997), \u201cThe techniques of risk analysis are insufficient in themselves\u201d, Disaster Prevention and Management, Vol. 6 No. 3, pp. 165\u201077.","DOI":"10.1108\/09653569710172937"},{"key":"key2022031720073179900_b17","doi-asserted-by":"crossref","unstructured":"Gerber, M. and von Solms, R. (2005), \u201cManagement of risk in the information age\u201d, Computers and Security, Vol. 24 No. 1, pp. 16\u201030.","DOI":"10.1016\/j.cose.2004.11.002"},{"key":"key2022031720073179900_b18","unstructured":"Gross, J. and Rayner, S. (1985), Measuring Culture, Columbia University Press, New York, NY."},{"key":"key2022031720073179900_b19","doi-asserted-by":"crossref","unstructured":"Hansche, S. (2001), \u201cDesigning a security awareness program: part I\u201d, Information Systems Security, Vol. 9 No. 6, pp. 14\u201022.","DOI":"10.1201\/1086\/43298.9.6.20010102\/30985.4"},{"key":"key2022031720073179900_b20","unstructured":"Institute of Risk Management (2002), A Risk Management Standard, AIRMIC, ALARM, IRM, , available at: www.theirm.org\/ (accessed 4 October 2005)."},{"key":"key2022031720073179900_b22","unstructured":"ISO\/IEC 17799 (2005), Information Technology \u2013 Security Techniques \u2013 Code of Practice for Information Security Management, ISO\/IEC, Geneva."},{"key":"key2022031720073179900_b23","unstructured":"ISO\/IEC 27001 (2005), Information Technology \u2013 Security Techniques \u2013 Information Security Management Systems \u2013 Requirements, ISO\/IEC, Geneva."},{"key":"key2022031720073179900_b25","unstructured":"Karyda, M., Kokolakis, S. and Kiountouzis, E. (2004), \u201cInformation systems security and the structuring of organisations\u201d, Proceedings of the 7th International Conference on the Social and Ethical Impacts of Information and Communication Technologies (ETHICOMP 2004), Syros, Greece, pp. 451\u201061."},{"key":"key2022031720073179900_b24","doi-asserted-by":"crossref","unstructured":"Karyda, M., Kiountouzis, E. and Kokolakis, S. (2005), \u201cInformation systems security: a contextual perspective\u201d, Computers and Security Journal, Vol. 24 No. 3, pp. 246\u201060.","DOI":"10.1016\/j.cose.2004.08.011"},{"key":"key2022031720073179900_b26","unstructured":"Kasperson, R. (1992), \u201cThe social amplification of risk: progress in developing an integrative framework\u201d, in Krimsky, S. and Golding, D. (Eds), Social Theories of Risk, Chapter 6.Vol. 6, Praeger, London, pp. 153\u201078."},{"key":"key2022031720073179900_b27","doi-asserted-by":"crossref","unstructured":"Langford, I., Georgiou, S., Bateman, I., Day, R. and Turner, R. (2000), \u201cPublic perceptions of health risks from polluted coastal bathing waters: a mixed methodological analysis using cultural theory\u201d, Risk Analysis: An International Journal, Vol. 20 No. 5, pp. 691\u2010705.","DOI":"10.1111\/0272-4332.205062"},{"key":"key2022031720073179900_b28","doi-asserted-by":"crossref","unstructured":"Leach, J. (2003), \u201cImproving user security behaviour\u201d, Computers and Security, Vol. 22 No. 8, pp. 685\u201092.","DOI":"10.1016\/S0167-4048(03)00007-5"},{"key":"key2022031720073179900_b29","doi-asserted-by":"crossref","unstructured":"Lima, M. and Castro, P. (2005), \u201cCultural theory meets the community: worldviews and local issues\u201d, Journal of Environmental Psychology, Vol. 25 No. 1, pp. 23\u201035.","DOI":"10.1016\/j.jenvp.2004.11.004"},{"key":"key2022031720073179900_b30","unstructured":"Marris, C., Langford, I. and O'Riordan, T. (1996U), \u201cIntegrating sociological and psychological approaches to public perceptions of environmental risks: detailed results from a questionnaire survey\u201d, Centre for Social and Economic Research on the Global Environment, University of East Anglia, Norwich."},{"key":"key2022031720073179900_b31","doi-asserted-by":"crossref","unstructured":"Mars, G. (1996), \u201cHuman factor failure and the comparative structure of jobs: the implications for risk management\u201d, Journal of Managerial Psychology, Vol. 11 No. 3, pp. 4\u201011.","DOI":"10.1108\/02683949610113557"},{"key":"key2022031720073179900_b32","doi-asserted-by":"crossref","unstructured":"Ney, S. and Molenaars, N. (1999), \u201cCultural theory as theory of democracy\u201d, Innovation, Vol. 12 No. 4.","DOI":"10.1080\/13511610.1999.9968622"},{"key":"key2022031720073179900_b33","unstructured":"NIST: 800\u201030 (2002), Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology, NIST, Dallas, TX."},{"key":"key2022031720073179900_b34","doi-asserted-by":"crossref","unstructured":"Peltier, T. (2005), \u201cImplementing an information security awareness program\u201d, Information Systems Security, Vol. 14 No. 2, pp. 12\u201037.","DOI":"10.1201\/1086\/45241.14.2.20050501\/88292.6"},{"key":"key2022031720073179900_b35","doi-asserted-by":"crossref","unstructured":"Pfleeger, S. (2000), \u201cRisky business: what we have yet to learn about risk management\u201d, Journal of Systems Software, Vol. 53, pp. 265\u201073.","DOI":"10.1016\/S0164-1212(00)00017-0"},{"key":"key2022031720073179900_b38","unstructured":"Rayner, S. (1984), \u201cDisagreeing about risk: the institutional cultures of risk management and planning for future generations\u201d, in Halden, S. (Ed.), Risk Analysis, Institutions, and Public Policy, Associated Faculty Press, New York, NY, pp. 150\u201069."},{"key":"key2022031720073179900_b39","doi-asserted-by":"crossref","unstructured":"Rayner, S. (1986), \u201cManagement of radiation hazards in hospitals: plural rationalities in a single institution\u201d, Social Studies of Science, Vol. 16, pp. 573\u201091.","DOI":"10.1177\/030631286016004002"},{"key":"key2022031720073179900_b37","unstructured":"Rayner, S. (1992), \u201cCultural theory and risk analysis\u201d, in Krimsky, S. and Golding, D. (Eds), Social Theories of Risk, Praeger, Westport, CT, pp. 83\u2010116."},{"key":"key2022031720073179900_b36","doi-asserted-by":"crossref","unstructured":"Rayner, S. and Cantor, R. (1987), \u201cHow fair is safe enough? The cultural approach to societal technology choice\u201d, Risk Analysis, Vol. 7, pp. 3\u201010.","DOI":"10.1111\/j.1539-6924.1987.tb00963.x"},{"key":"key2022031720073179900_b40","doi-asserted-by":"crossref","unstructured":"Rippl, S. (2002), \u201cCultural theory and risk perception: a proposal for a better measurement\u201d, Journal of Risk Research, Vol. 5 No. 2, pp. 147\u201065.","DOI":"10.1080\/13669870110042598"},{"key":"key2022031720073179900_b42","doi-asserted-by":"crossref","unstructured":"Siponen, M. (2000), \u201cA conceptual foundation for organizational information security awareness\u201d, Information Management & Computer Security, Vol. 8 No. 1, pp. 31\u201041.","DOI":"10.1108\/09685220010371394"},{"key":"key2022031720073179900_b44","doi-asserted-by":"crossref","unstructured":"Sj\u00f6berg, L. (1997), \u201cExplaining risk perception: an empirical evaluation of cultural theory\u201d, Risk, Decision and Policy, Vol. 2 No. 2, pp. 113\u201030.","DOI":"10.1080\/135753097348447"},{"key":"key2022031720073179900_b45","unstructured":"Sj\u00f6berg, L. (1998), \u201cWorld views, political attitudes and risk perception\u201d, Risk: Health, Safety and Environment, Vol. 9 No. 2, pp. 137\u201052."},{"key":"key2022031720073179900_b43","doi-asserted-by":"crossref","unstructured":"Sjoberg, L. (2000), \u201cFactors in risk perception\u201d, Risk Analysis, Vol. 20 No. 1.","DOI":"10.1111\/0272-4332.00001"},{"key":"key2022031720073179900_b46","doi-asserted-by":"crossref","unstructured":"Slovic, P., Fischoff, B. and Lichtenstein, S. (1980), \u201cFacts and fears: understanding perceived risk\u201d, in Schwing, R.C. and Albers, W.A. (Eds), Societal Risk Assessment. How Safe is Safe Enough?, Plenum, London, pp. 181\u2010216.","DOI":"10.1007\/978-1-4899-0445-4_9"},{"key":"key2022031720073179900_b47","doi-asserted-by":"crossref","unstructured":"Smallman, C. and Weir, D. (1999), \u201cCommunication and cultural distortion during crises\u201d, Disaster Prevention and Mangement, Vol. 8 No. 1, pp. 33\u201041.","DOI":"10.1108\/09653569910258219"},{"key":"key2022031720073179900_b48","doi-asserted-by":"crossref","unstructured":"Tansey, J. and O'Riordan, T. (1999), \u201cCultural theory and risk: a review\u201d, Health Risk Society, Vol. 1 No. 1.","DOI":"10.1080\/13698579908407008"},{"key":"key2022031720073179900_b49","unstructured":"Thompson, M., Richard, E. and Wildavsky, A. (1990), Cultural Theory, Westview Press, Boulder, CO."},{"key":"key2022031720073179900_b50","unstructured":"Torbjorn, R. (2004), \u201cExplaining risk perception: an evaluation of cultural theory, Norwegian university of science and technology\u201d,Vol. 85, Norwegian University of Science and Technology, Department of Psychology, Trondheim."},{"key":"key2022031720073179900_b51","doi-asserted-by":"crossref","unstructured":"Trompeter, C. and Eloff, J. (2001), \u201cA framework for the implementation of socio\u2010ethical controls in information security\u201d, Computers and Security, Vol. 20 No. 5, pp. 384\u201091.","DOI":"10.1016\/S0167-4048(01)00507-7"},{"key":"key2022031720073179900_b52","unstructured":"Walsham, G. (1993), Interpreting Information Systems in Organizations, Wiley, Chichester."},{"key":"key2022031720073179900_b53","doi-asserted-by":"crossref","unstructured":"Whitman, M., Towsend, A. and Aalberts, R. (2001), \u201cinformation systems security and the need for policy\u201d, in Dhillon, G. (Ed.), Information Security Management: Global Challenges in the New Millennium, Idea Group Publishing, Harshey, PA.","DOI":"10.4018\/978-1-878289-78-0.ch002"},{"key":"key2022031720073179900_frd1","unstructured":"ISO\/IEC (2000), Information Technology\u2010Code of Practice for Information Security Management, ISO\/IEC 17799, Geneva."}],"container-title":["Information Management & Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220610670378\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220610670378\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:08:57Z","timestamp":1753402137000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/14\/3\/198-217\/172305"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2006,5,1]]},"references-count":53,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2006,5,1]]}},"alternative-id":["10.1108\/09685220610670378"],"URL":"https:\/\/doi.org\/10.1108\/09685220610670378","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2006,5,1]]}}}