{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T19:03:22Z","timestamp":1774551802487,"version":"3.50.1"},"reference-count":57,"publisher":"Emerald","issue":"2","license":[{"start":{"date-parts":[[2017,6,12]],"date-time":"2017-06-12T00:00:00Z","timestamp":1497225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["ICS"],"published-print":{"date-parts":[[2017,6,12]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-subheading\">Purpose<\/jats:title><jats:p>This paper provides new insights about security behaviour in selected US and Irish organisations by investigating how organisational culture and procedural security countermeasures tend to influence employee security actions. An increasing number of information security breaches in organisations presents a serious threat to the confidentiality of personal and commercially sensitive data. While recent research shows that humans are the weakest link in the security chain and the root cause of a great portion of security breaches, the extant security literature tends to focus on technical issues.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Design\/methodology\/approach<\/jats:title><jats:p>This paper builds on general deterrence theory and prior organisational culture literature. The methodology adapted for this study draws on the analytical grounded theory approach employing a constant comparative method.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Findings<\/jats:title><jats:p>This paper demonstrates that procedural security countermeasures and organisational culture tend to affect security behaviour in organisational settings.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Research limitations\/implications<\/jats:title><jats:p>This paper fills the void in information security research and takes its place among the very few studies that focus on behavioural as opposed to technical issues.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Practical implications<\/jats:title><jats:p>This paper highlights the important role of procedural security countermeasures, information security awareness and organisational culture in managing illicit behaviour of employees.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-subheading\">Originality\/value<\/jats:title><jats:p>This study extends general deterrence theory in a novel way by including information security awareness in the research model and by investigating both negative and positive behaviours.<\/jats:p><\/jats:sec>","DOI":"10.1108\/ics-03-2017-0013","type":"journal-article","created":{"date-parts":[[2017,4,27]],"date-time":"2017-04-27T07:54:51Z","timestamp":1493279691000},"page":"118-136","source":"Crossref","is-referenced-by-count":47,"title":["Organisational culture, procedural countermeasures, and employee security behaviour"],"prefix":"10.1108","volume":"25","author":[{"given":"Lena","family":"Yuryna Connolly","sequence":"first","affiliation":[]},{"given":"Michael","family":"Lang","sequence":"additional","affiliation":[]},{"given":"John","family":"Gathegi","sequence":"additional","affiliation":[]},{"given":"Doug J.","family":"Tygar","sequence":"additional","affiliation":[]}],"member":"140","reference":[{"issue":"4","key":"key2020120707584220800_ref001","doi-asserted-by":"crossref","first-page":"276","DOI":"10.1016\/j.cose.2006.11.004","article-title":"A qualitative study of users\u2019 view on information security","volume":"26","year":"2007","journal-title":"Computers & Security"},{"issue":"5","key":"key2020120707584220800_ref002","doi-asserted-by":"crossref","first-page":"548","DOI":"10.1108\/17410390910993536","article-title":"A situated cultural approach for cross-cultural studies in IS","volume":"22","year":"2009","journal-title":"Journal of Enterprise Information Management"},{"key":"key2020120707584220800_ref003","first-page":"8","article-title":"Managing organizational culture","volume":"69","year":"1980","journal-title":"Management Review"},{"key":"key2020120707584220800_ref004","doi-asserted-by":"crossref","first-page":"145","DOI":"10.1016\/j.cose.2013.05.006","article-title":"Don\u2019t make excuses! discouraging neutralization to reduce IT policy violation","volume":"39","year":"2013","journal-title":"Computers & Security"},{"key":"key2020120707584220800_ref005","first-page":"96","article-title":"Deterrence and incapacitation: estimating the effects of criminal sanctions on crime rates","volume-title":"Crime and Society: Reading in Criminal Justice","year":"1978"},{"issue":"3","key":"key2020120707584220800_ref006","doi-asserted-by":"crossref","first-page":"523","DOI":"10.2307\/25750690","article-title":"Information security policy compliance: an empirical study of rationally-based beliefs and information security awareness","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"key":"key2020120707584220800_ref007","first-page":"101","article-title":"A conceptual analysis about the organizational impact of compliance on information security policy","year":"2012"},{"issue":"3","key":"key2020120707584220800_ref008","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1080\/15536548.2005.10855772","article-title":"Perceptions of information security at the workplace: linking information security climate to compliant behaviour","volume":"1","year":"2005","journal-title":"Journal of Information Privacy and Security"},{"issue":"3","key":"key2020120707584220800_ref055","doi-asserted-by":"crossref","first-page":"157","DOI":"10.2753\/MIS0742-1222290305","article-title":"Organizations\u2019 information security policy compliance: stick or carrot approach?","volume":"29","year":"2012","journal-title":"Journal of Management Information Systems"},{"key":"key2020120707584220800_ref009","doi-asserted-by":"crossref","first-page":"447","DOI":"10.1016\/j.cose.2013.09.009","article-title":"Understanding the violation of IS security policy in organizations: an integrated model based on social control and deterrence theory","volume":"39","year":"2013","journal-title":"Computers & Security"},{"key":"key2020120707584220800_ref010","first-page":"13","article-title":"From security policy to practice: sending the right messages","volume":"3","year":"2010","journal-title":"Computer Fraud & Security"},{"key":"key2020120707584220800_ref011","volume-title":"Organizational Culture Inventory","year":"1987"},{"key":"key2020120707584220800_ref012","doi-asserted-by":"crossref","first-page":"90","DOI":"10.1016\/j.cose.2012.09.010","article-title":"Future directions for behavioral information security research","volume":"32","year":"2013","journal-title":"Computers & Security"},{"issue":"2","key":"key2020120707584220800_ref013","first-page":"159","article-title":"Impact of reward and recognition on job satisfaction and motivation: an empirical study from Pakistan","volume":"5","year":"2010","journal-title":"International Journal of Business and Management"},{"issue":"6","key":"key2020120707584220800_ref014","doi-asserted-by":"crossref","first-page":"643","DOI":"10.1057\/ejis.2011.23","article-title":"A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings","volume":"20","year":"2011","journal-title":"European Journal of Information Systems"},{"issue":"10","key":"key2020120707584220800_ref015","doi-asserted-by":"crossref","first-page":"113","DOI":"10.1145\/1290958.1290971","article-title":"\u201cDeterring internal information systems misuse","volume":"50","year":"2007","journal-title":"Communications of the ACM"},{"issue":"2","key":"key2020120707584220800_ref017","doi-asserted-by":"crossref","first-page":"285","DOI":"10.2753\/MIS0742-1222310210","article-title":"Understanding employee responses to stressful information security requirements: a coping perspective","volume":"31","year":"2014","journal-title":"Journal of Management Information Systems"},{"issue":"1","key":"key2020120707584220800_ref016","first-page":"1","article-title":"User awareness of security countermeasures and its impact on information systems misuse: a deterrence approach","volume":"20","year":"2009","journal-title":"Information Systems Research"},{"issue":"4","key":"key2020120707584220800_ref018","doi-asserted-by":"crossref","first-page":"532","DOI":"10.5465\/amr.1989.4308385","article-title":"Building theories from case study research","volume":"14","year":"1989","journal-title":"Academy of Management Review"},{"key":"key2020120707584220800_ref019","unstructured":"Ferguson, M., Sheehan, M., Davey, J. and Watson, B. (1999), Drink Driving Rehabilitation: The Present Context \u2013 A Road Safety Research Report, Centre for Accidental Research and Road Safety, Brisbane, available at: http:\/\/eprints.qut.edu.au\/7379\/1\/Alc_Rehab_2.pdf (accessed 10 October, 2015)."},{"issue":"5","key":"key2020120707584220800_ref020","first-page":"352","article-title":"A prototype tool for IS security awareness and training\u201d","volume":"15","year":"2002","journal-title":"International Journal of Logistics and Information Management"},{"key":"key2020120707584220800_ref056","volume-title":"The Discovery of Grounded Theory","year":"1967"},{"issue":"6","key":"key2020120707584220800_ref021","first-page":"133","article-title":"What holds the modern company together?","volume":"74","year":"1996","journal-title":"Harvard Business Review"},{"key":"key2020120707584220800_ref022","doi-asserted-by":"crossref","first-page":"242","DOI":"10.1016\/j.cose.2012.10.003","article-title":"Security-related behavior in using information systems in the workplace: a review and synthesis","volume":"32","year":"2013","journal-title":"Computers & Security"},{"issue":"6","key":"key2020120707584220800_ref023","doi-asserted-by":"crossref","first-page":"320","DOI":"10.1016\/j.im.2012.08.001","article-title":"The effect of multilevel sanctions on information security violations: a mediating model","volume":"49","year":"2012","journal-title":"Information & Management"},{"key":"key2020120707584220800_ref054","volume-title":"Cultures and Organizations: Software of the Mind","year":"1991"},{"issue":"2","key":"key2020120707584220800_ref024","doi-asserted-by":"crossref","first-page":"99","DOI":"10.1016\/j.im.2011.12.005","article-title":"Applying an extended model of deterrence across cultures: an investigation of information systems misuse in the US and South Korea","volume":"49","year":"2012","journal-title":"Information & Management"},{"issue":"4","key":"key2020120707584220800_ref026","doi-asserted-by":"crossref","first-page":"615","DOI":"10.1111\/j.1540-5915.2012.00361.x","article-title":"Managing employee compliance with information security policies: the critical role of top management and organizational culture","volume":"43","year":"2012","journal-title":"Decision Sciences"},{"issue":"6","key":"key2020120707584220800_ref025","first-page":"5460","article-title":"Does deterrence work in reducing information security policy abuse by employees?","volume":"54","year":"2011","journal-title":"Communications of the ACM"},{"issue":"1","key":"key2020120707584220800_ref027","doi-asserted-by":"crossref","first-page":"69","DOI":"10.1016\/j.im.2013.10.001","article-title":"Information systems security policy compliance: an empirical study of the effects of socialisation, influence, and cognition","volume":"51","year":"2014","journal-title":"Information & Management"},{"key":"key2020120707584220800_ref028","unstructured":"Kettley, P. (1995), \u201cIs flatter better? Delayering the management hierarchy\u201d, Report 290, The Institute for Employment Studies, Microgen, available at: www.employment-studies.co.uk\/system\/files\/resources\/files\/290.pdf (accessed 15 November 2015)."},{"issue":"2","key":"key2020120707584220800_ref029","first-page":"12","article-title":"Managing your organization\u2019s culture","volume":"3","year":"1985","journal-title":"The Nonprofit World Report"},{"key":"key2020120707584220800_ref030","doi-asserted-by":"crossref","first-page":"143","DOI":"10.28945\/492","article-title":"The impact of national culture on worldwide e-Government readiness","volume":"8","year":"2005","journal-title":"Informing Science Journal"},{"key":"key2020120707584220800_ref031","volume-title":"Culture: A Critical Review of Concepts and Definitions","year":"1952"},{"issue":"6","key":"key2020120707584220800_ref032","doi-asserted-by":"crossref","first-page":"707","DOI":"10.1016\/j.im.2003.08.008","article-title":"An integrative model of computer abuse based on social control and general deterrence theories","volume":"41","year":"2004","journal-title":"Information & Management"},{"issue":"2","key":"key2020120707584220800_ref033","doi-asserted-by":"crossref","first-page":"357","DOI":"10.2307\/25148735","article-title":"Review: a review of culture in information systems research: toward a theory of information technology culture conflict","volume":"30","year":"2006","journal-title":"MIS Quarterly"},{"key":"key2020120707584220800_ref034","first-page":"88","article-title":"Exploring the relationships between organizational culture and information security culture","year":"2009"},{"issue":"1","key":"key2020120707584220800_ref035","doi-asserted-by":"crossref","first-page":"29","DOI":"10.1177\/001872677803100102","article-title":"The effects of employee ownership on organizational identification, employee job attitudes, and organizational performance: a tentative framework and empirical findings","volume":"31","year":"1978","journal-title":"Human Relations"},{"issue":"1","key":"key2020120707584220800_ref036","doi-asserted-by":"crossref","first-page":"119","DOI":"10.1057\/ejis.2011.35","article-title":"Profiling grounded theory approaches in information systems research","volume":"22","year":"2013","journal-title":"European Journal of Information Systems"},{"key":"key2020120707584220800_ref037","volume-title":"Beginning Qualitative Research: A Philosophic and Practical Guide","year":"1994"},{"key":"key2020120707584220800_ref057","volume-title":"Theory Z: How American Business Can Meet the Japanese Challenge","year":"1981"},{"issue":"4","key":"key2020120707584220800_ref038","first-page":"49","article-title":"Muscle-build the organisation","volume":"65","year":"1987","journal-title":"Harvard Business Review"},{"issue":"3","key":"key2020120707584220800_ref039","first-page":"363","article-title":"Industry mindsets: exploring the cultures of two macro-organizational setting","volume":"5","year":"1994","journal-title":"Organization Science"},{"issue":"6","key":"key2020120707584220800_ref040","doi-asserted-by":"crossref","first-page":"559","DOI":"10.1016\/j.leaqua.2006.10.002","article-title":"Leadership and the organizational context: like the weather?","volume":"17","year":"2006","journal-title":"Leadership Quarterly"},{"issue":"2","key":"key2020120707584220800_ref041","doi-asserted-by":"crossref","first-page":"139","DOI":"10.1037\/1076-8998.6.2.139","article-title":"The effects of job insecurity on employee safety outcomes: cross-sectional and longitudinal explorations","volume":"6","year":"2001","journal-title":"Journal of Occupational Health Psychology"},{"issue":"4","key":"key2020120707584220800_ref042","doi-asserted-by":"crossref","first-page":"757","DOI":"10.2307\/25750704","article-title":"Improving employees\u2019 compliance through information systems security training: an action research study","volume":"34","year":"2010","journal-title":"MIS Quarterly"},{"issue":"6","key":"key2020120707584220800_ref043","first-page":"26","article-title":"Effective drug-free workplace plan uses worker testing as deterrent","volume":"62","year":"1993","journal-title":"Occupational Health Safety"},{"issue":"2","key":"key2020120707584220800_ref044","doi-asserted-by":"crossref","first-page":"161","DOI":"10.1108\/01437730410521831","article-title":"The influence of organizational culture on attitudes toward organizational change","volume":"25","year":"2004","journal-title":"Leadership & Organization Development Journal"},{"issue":"5","key":"key2020120707584220800_ref045","doi-asserted-by":"crossref","first-page":"513","DOI":"10.1086\/210551","article-title":"Social control","volume":"1","year":"1896","journal-title":"American Journal of Sociology"},{"issue":"1","key":"key2020120707584220800_ref046","doi-asserted-by":"crossref","first-page":"15","DOI":"10.3138\/cjcrim.27.1.15","article-title":"Shoplifting prevention: the role of communication-based intervention strategies","volume":"27","year":"1985","journal-title":"Canadian Journal of Criminology"},{"issue":"12","key":"key2020120707584220800_ref047","doi-asserted-by":"crossref","first-page":"145","DOI":"10.1145\/1610252.1610289","article-title":"Are employees putting your company at risk by not following information security policies?","volume":"52","year":"2009","journal-title":"Communications of the ACM"},{"issue":"3","key":"key2020120707584220800_ref048","doi-asserted-by":"crossref","first-page":"255","DOI":"10.1287\/isre.1.3.255","article-title":"Effective IS security: an empirical study","volume":"1","year":"1990","journal-title":"Information Systems Research"},{"issue":"4","key":"key2020120707584220800_ref049","doi-asserted-by":"crossref","first-page":"441","DOI":"10.2307\/249551","article-title":"Coping with systems risk: security planning models for management decision making","volume":"22","year":"1998","journal-title":"MIS Quarterly"},{"key":"key2020120707584220800_ref050","doi-asserted-by":"crossref","first-page":"13","DOI":"10.4018\/jgim.2002010102","article-title":"Toward a theory-based measurement of culture","volume":"10","year":"2002","journal-title":"Journal of Global Information Management"},{"key":"key2020120707584220800_ref051","doi-asserted-by":"crossref","first-page":"275","DOI":"10.1016\/j.cose.2004.01.013","article-title":"From policies to culture","volume":"23","year":"2004","journal-title":"Computers & Security"},{"key":"key2020120707584220800_ref052","doi-asserted-by":"crossref","first-page":"191","DOI":"10.1016\/j.cose.2004.01.012","article-title":"Towards information security behavioural compliance","volume":"23","year":"2004","journal-title":"Computers & Security"},{"issue":"2","key":"key2020120707584220800_ref053","first-page":"400","article-title":"Punishment, justice, and compliance in mandatory IT settings","volume":"22","year":"2011","journal-title":"Information Security Research"}],"container-title":["Information &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-03-2017-0013\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/ICS-03-2017-0013\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T01:22:45Z","timestamp":1753406565000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/25\/2\/118-136\/110946"}},"subtitle":["A qualitative study"],"short-title":[],"issued":{"date-parts":[[2017,6,12]]},"references-count":57,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2017,6,12]]}},"alternative-id":["10.1108\/ICS-03-2017-0013"],"URL":"https:\/\/doi.org\/10.1108\/ics-03-2017-0013","relation":{},"ISSN":["2056-4961"],"issn-type":[{"value":"2056-4961","type":"print"}],"subject":[],"published":{"date-parts":[[2017,6,12]]}}}