Information technology security management ... - Faculty Web Pages

3 downloads 93753 Views 99KB Size Report
standards and practices (Johnson, 2000; Berger and DeYoung, 2001; Hee et al., ... (Chaturvedi et al., 2000; Bank of Japan, 2007; DTT-Global Security Survey, ...
The current issue and full text archive of this journal is available at www.emeraldinsight.com/0968-5227.htm

IMCS 17,5

Information technology security management concerns in global financial services institutions

372

Is national culture a differentiator?

Received 9 January 2009 Revised 1 May 2009 Accepted 25 June 2009

Princely Ifinedo Shannon School of Business, Cape Breton University, Sydney, Canada Abstract Purpose – The purpose of this paper is to add a layer of understanding to a previous survey of information technology (IT) security concerns and issues in global financial services institutions (GFSI). Design/methodology/approach – This paper uses data obtained from a secondary source. The dimensions of national culture used in this paper come from Hofstede’s work. Two analyses are performed on the data. First, a non-parametric test is conducted to determine whether there are significant differences on the 13 IT security concerns when the dimensions of national culture are used to group responses. Second, a correlation analysis is carried out between the study’s variables. Findings – First, the results indicate that the dimensions of national culture are not statistically important in differentiating responses and perceptions of IT security concerns across GFSI. Second, some of the dimensions of national culture are found to have significant correlations with a few of the IT security concerns investigated. Research limitations/implications – The use of a secondary data source introduces some limitations. The views captured in the survey are those of management team, it is likely that end-users’ perceptions may vary considerably. Nonetheless, the main finding of the paper for corporate managers in the financial services industry is that IT security concerns appear to be uniform across cultures. Further, the data show that the dimension of uncertainty avoidance deserves further attention with regard to the assessment of security concerns in GFSI. This information may be useful for decision making and planning purposes in the financial services industry. Originality/value – This paper is believed to be among the first to examine the impacts of national culture on IT security concerns in GFSI. The paper’s conclusions may offer useful insights to corporate managers in the industry. Keywords Financial services, Data security, Communication technologies, National cultures, Globalization Paper type Research paper

Information Management & Computer Security Vol. 17 No. 5, 2009 pp. 372-387 q Emerald Group Publishing Limited 0968-5227 DOI 10.1108/09685220911006678

1. Introduction Owing to forces of globalization and other related factors, global financial services institutions (GFSI) around the world have witnessed a generally sustained growth in the financial services industry (Berger and Humphrey, 1997; Johnson, 2000; Berger and DeYoung, 2001; Arestis et al., 2003). For the purpose of this paper, the description of GFSI as provided by the Deloitte Touche Tohmatsu (DTT) survey will be used. Therein, GFSI included global financial institutions, banks, insurance companies, payment processors, and asset management companies. A GFSI acts as an agent for its clients and customers (Johnson, 2000; Moshirian, 2007). It is important not to confuse the term GFSI

with the closely related phrase “global financial institutions” such as The World Bank and International Monetary Fund. The job of these bodies includes coordinating and regulating global financial systems at the international level (Moshirian, 2007). Evidence suggests that across their industry, GFSI often comply with comparable performance measurements, benchmark assessments, and other industry-related standards and practices (Johnson, 2000; Berger and DeYoung, 2001; Hee et al., 2003; Alexander et al., 2004). By the same token, the use of information and communication technologies (ICT), including the internet has become standard practice in the financial institutions industry (Johnson, 2000; Gupta et al., 2004; Business Wires, 2005; DTT-Global Security Survey, 2006, 2007; Bank of Japan, 2007). With this increasingly universal use of ICT in their operations, GFSI face a number of new risks and concerns (Chaturvedi et al., 2000; Bank of Japan, 2007; DTT-Global Security Survey, 2007). The Bank of Japan (2007) underscored the pertinence of the issue when it commented: [. . .] [i]n recent years, the development of information technology [IT] has brought with it a rapid increase in the use of open network systems, as typified by the internet, to provide financial services. Concurrently, proper management of information security risks such as the risk of service interruptions, theft or alteration of data, impersonation and other events resulting from unauthorized access to the computer system is rapidly becoming critical.

Chaturvedi et al. (2000), citing the Information Security Industry Survey (1999), indicate that since 1998, upwards of 20 percent of financial institutions have suffered disruptions to their information and network systems. They add that “information security [management], therefore, is a pivotal business and technical undertaking for any company involved [in] [. . .] financial activities” (Chaturvedi et al., 2000). Expanding on this, Jung et al. (2001) have suggested that the majority of corporations, including those in the banking and finance sectors face four main threats to organizational IT data and assets – interception, interruption, modification, and fabrication. They found that while some industries such as retail and manufacturing are concerned with only one or two threats, the same may not be true for financial services institutions where all the four threats appear to be a source of significant concern. Goodhue and Straub (1991) offer reasons why firms in the financial services sector may be more wary of breaches and threats relative to other businesses: . over-reliance on ICT use in their operations; . losses emanating from breaches in their operations can be extremely large; and . the need to maintain a good public image and assure the confidentiality and integrity of their data and ICT assets. Previous research has paid attention to analyzing IT threats, developing information systems (IS) security strategies and policies, and maintaining IS security adequacy in modern organizations (Straub and Welke, 1998; Goodhue and Straub, 1991; Hee et al., 2003; Kankanhalli et al., 2003; Kruck and Teers, 2008); however, such studies “seldom consider organizational characteristics [. . .] nor do they pay attention to industrial applications [and specificity]” (Yeh and Chang, 2007, p. 480). Indeed, the literature suggests that IT security threats, risks, and concerns vary by industry (Goodhue and Straub, 1991; Kankanhalli et al., 2003; Yeh and Chang, 2007). Financial services institutions, due, in part, to the aforementioned factors, face a constant challenge and have to find ways to protect and secure their ICT and business transactions from

IT security management concerns in GFSI 373

IMCS 17,5

374

sophisticated criminals (Willison and Backhouse, 2006; Doherty and Fulford, 2005; Kruck and Teers, 2008; Ifinedo, 2008). It is worth mentioning that the recent Computer Crime and Security Survey (2007) showed that financial fraud has overtaken virus attacks as businesses’ main source of financial loss. To that end, GFSI know that they must proactively work toward protecting customer data and thwart emerging threats. With respect to IT security concerns, Kankanhalli et al. (2003) note that financial organizations tend to have stiffer deterrent mechanisms than do organizations in other sectors. Suffice it to say, there is a need for studies that investigate the readiness and capability of GFSI in addressing IT security concerns in their industry. This present study is motivated by such a need. Practitioners in the financial services industry perhaps realizing the need to focus on security issues have themselves started investigating and reporting industry IT security concerns. The series of surveys conducted by DTT stands out in this regard (DTT-Global Security Survey, 2006, 2007). The first of the DTT surveys were published in 2003 and four others have since followed. The DTT surveys were designed to educate GFSI on how IT security concerns compare in the global arena. The summary of the most recent survey’s findings are available online (see DTT-Global Security Survey, 2007 for more detailed information). This present effort draws on the most recent DTT survey[1] and aims to provide a layer of understanding not found in the survey by examining whether national cultural factors play a role in how IT security concerns are perceived by GFSI. The desire to explore this line of inquiry is informed by findings elsewhere which suggest that national cultural values, attitudes, and norms are critical for organizations (and their employees) when adopting and implementing innovations and new practices, including those related to IT security concerns (Shane, 1993; Hofstede, 2001; Png et al., 2001; Kankanhalli et al., 2004; Dinev et al., 2008). The objectives of this study are threefold. First, it aims at providing deeper insights to a prior line of inquiry. Second, it seeks to act as a base for a future studies investigating perceptions of IT security concerns in GFSI across different cultural contexts. Third, it seeks to complement the emerging literature on the impacts and influences of national culture on IT security and privacy issues (Milberg et al., 1995, 2000; Bjo¨rck and Jiang, 2006; Schmidt et al., 2008; Dinev et al., 2008; Ifinedo, 2009). In particular, this study is designed to provide answers to the following questions: Q1. Can the dimensions of national culture differentiate IT security concerns and issues across GFSI? Q2. What relationships exist between the dimensions of national culture and IT security concerns and issues in GFSI? The remainder of the paper is organized as follows. The next section presents, the background of the study and a review of the relevant literature. Subsequently, the hypotheses are formulated and are followed by the research methodology. The data analysis is then presented and the paper ends with a discussion and conclusion section. 2. Background and literature review IT security concerns and issues Scholars such as Dhillon and Backhouse (2001), Straub and Welke (1998) and Siponen (2005) suggest that the high incidence of security breaches in organizations could be

attributed to their inability to adequately focus on non-technical issues. Such non-technical concerns and issues include the basic policies, procedures, practices, and strategies that organizations put in place to minimize threats and control any loss that may arise from breaches (Siponen, 2005; McPhee, 2008; Schatz, 2008). Not surprisingly then, 79 percent of participants in the 2007 DTT survey noted that human factors (non-technical issues) are the root cause of information security failures in the GFSI industry. For the purposes of this study, IT security concerns and issues loosely refer to threats, risks, privacy concerns, and other vulnerabilities to IS assets in the GFSI. Several bodies have offered guidelines on how GFSI should deal with emerging information security management issues. ISO/TR 13569 (2005) has guidelines that address the development of an information security program for institutions in the financial services industry. EDS (2007) likewise recommends ways in which financial institutions could manage information risk and priority issues. Many of these recommendations serve the purpose of informing GFSI about ways to efficiently provide awareness information to their employees, and manage their IT security threats. The Information Systems Audit and Control Association (ISACA) also offers guidelines and recommendations on such issues. The security concerns that were investigated in the latest DTT survey, to some degree, mirror those of ISACA’s security governance maturity model in the Control Objectives for Information and Related Technology segment (McPhee, 2008). Suffice it to say, the IT security concerns reported in the 2007 DTT survey have both practical and theoretical industry significance. The DTT survey and findings DTT is an international firm that provides audit, tax, consulting, and financial advisory services to both public and private clients. DTT has a global network of member firms in 140 countries. The financial services sub-unit of the organization employs more than 1,500 partners and 17,000 financial services professionals in more than 40 countries. Over the past five years, this sub-unit has used its contacts, networks, and reach to research IT security concerns and issues in GFSI around the world. The first survey issued by the financial services sub-unit appeared in 2003 and four others have since followed (DTT-Global Security Survey, 2006, 2007). The DDT surveys probed selected IT security concerns; those that pertained to strategic and operational areas of security and privacy (DTT-Global Security Survey, 2007). As noted above, the survey sought to identify, record, and present the state of IT security issues in the financial services industry. Data collection involved the gathering of information using mainly qualitative research methods. According to the DTT-Global Security Survey (2006, p. 3): Most of the data collection process took place through face-to-face interviews with the Chief Information Security Officer/Chief Security Officer (CISO/CSO) or designate, and in some instances, with the security management team.

Participants in the 2007 study came from 32 countries and seven regions of the world: Asia Pacific (APAC) excluding Japan, Former Soviet Republics – Commonwealth of Independent States (CIS), the Middle East and Africa (EMEA), Latin America and the Caribbean Region (LACRO), Japan, Europe, Canada, and the USA. The DeloitteDEX team, a separate unit in the organization analyzed and validated the collected data.

IT security management concerns in GFSI 375

IMCS 17,5

376

The countries/regions sampled in the study are diverse both culturally and economically. Table I presents a summary of the responses from the DTT survey of 2007. Admittedly, the financial services industry is currently facing a turbulent period. That does not, in any way, mean that research on relevant topic in the industry should cease indefinitely. Indeed, the industry is known to be characterized by periods of highs and lows (Berger and Humphrey, 1997; Johnson, 2000). Of note is the fact that new surveys on IT security concerns in the industry continue to appear with results similar to what is discussed herein (PricewaterhouseCoopers, 2008; Ifinedo, 2009). National culture Culture, to anthropologists, represents the fabric of meaning through which a society interprets the events around it (Geertz, 1973). Bodley (1994) refers to it as the ways of life for a society. Hofstede (2001) defines culture as the collective programming of the mind which distinguishes the members of one group from another. The work of Hofstede (2001) has been widely recognized as the most dominant framework for theory development and validation in cross-cultural studies (Myers and Tan, 2002). The four main cultural dimensions in Hofstede’s typology are highlighted below. Table II shows the scores of each dimension for the selected countries. Despite the limitations in Hofstede’ work, several studies in IS and related disciplines have used it to compare and contrast perceptions across diverse cultures (Png et al., 2001; Waarts and van Everdingen, 2006). Studies on IT security and privacy issues have done the same (Milberg et al., 2000; Bjo¨rck and Jiang, 2006; Dinev et al., 2008): . Power distance index (PDI) – “focuses on the degree of equality, or inequality, between people in the country’s society.” (ITIM, 2008). . Individualism (IDV) – “focuses on the degree the society reinforces individual or collective achievement and interpersonal relationships.” (ITIM, 2008). . Masculinity (MAS) – “focuses on the degree the society reinforces, or does not reinforce, the traditional masculine work role model of male achievement, control, and power.” (ITIM, 2008). . Uncertainty avoidance index (UAI) – “focuses on the level of tolerance for uncertainty and ambiguity within the society – i.e. unstructured situations.” (ITIM, 2008). Research indicates that cultural values influence the diffusion of innovations and new practices, including those related to IT security (Shane, 1993; Hofstede, 2001; Png et al., 2001; Waarts and van Everdingen, 2006; Bjo¨rck and Jiang, 2006; Erunbam and de Jong, 2006). National cultural values have been known to inhibit the successful implementation of practices exported from one part of the world to another. For example, Hofstede (2001) cited the example of management by objectives (MBO), which was a success in countries with low-power distance scores and a failure in cultures with high-PDIs. This divergence in MBO success was shown to derive from the fact that MBO works well in environments where superior-subordinate negotiation is encouraged. Similarly, Png et al. (2001) found that corporations with higher UAI scores were less likely to adopt certain IT infrastructure than their counterparts with lower UAI scores.

Source: DTT-Global Security Survey (2007)

GFSI who feel that security has risen to the C suite or board as a critical area of business GFSI possessing a security strategy GFSI whose information security strategy is led and embraced by line and functional business leaders GFSI who have incorporated application security and privacy as part of their software development lifecycle GFSI who feel they have both commitment and funding to address regulatory requirements GFSI who feel that government driven security regulations are effective in improving security posture in their industry GFSI who have security linked to their IT security employee’s appraisals GFSI who feel they presently have both the required skills and competencies to respond effectively and efficiently to foreseeable security requirements GFSI whose employees have required at least one training and awareness session on security and privacy in the last 12 months GFSI who have an executive responsible for privacy GFSI who have a program for managing privacy compliance GFSI who have experienced repeated internal breaches over the last 12 months GFSI who have experienced repeated external breaches over the last 12 months

Regional highlight 71 75 6 22 79 89 40 31 91 100 95 13 35

78 62 0 30 77 93 43 7 69 85 100 36 79

63

38

67

75 57

25

50

100

67

0

14

83 75

71

31

78

84 60

39

44

82

77

33

10

82 61

91

55

80

82 91

27

45

82

50

18

0

78 27

88 68 14 46 64 89 57 35 61 30 31 26 63

89 68 18 36 80 90 70 20 95 84 89 35 70

APAC (excluding Japan) (%) Japan (%) CIS (%) EMEA (%) Canada (%) USA (%) LACRO (%)

IT security management concerns in GFSI 377

Table I. Key IT security and privacy issues responses in GFSI segmented by regions/countries

IMCS 17,5

378

Region

Country

PDI

APAC

Australia China Malaysia Japan UK Germany Italy France South Africa UAE Argentina Mexico Brazil USA Canada Russia Fed. Ukraine

36 80 104 54 35 35 50 68 49 80 49 81 69 40 39 93 93

Japan EMEA

LACRO USA and Canada Table II. Cross-cultural dimensions scores of selected countries

CIS

National cross-cultural dimensions IDV MAS 90 20 26 46 89 67 76 71 65 38 46 30 38 91 80 39 39

61 66 50 95 66 66 70 43 63 52 56 69 49 62 52 36 36

UAI 51 40 36 92 35 65 75 86 49 68 86 82 76 46 48 95 95

Notes: PDI, power distance index; IDV, individualism; MAS, masculinity; UAI, uncertainty avoidance index

When it comes to security and privacy concerns, the results have been mixed. Schmidt et al. (2008) in studying Chinese and American cultures found significant differences in perceptions of relevant computer security threats. Bjo¨rck and Jiang (2006), when researching IT security implementations, found that Singapore and Sweden differed on power distance and individualism indices but not on UAI and masculinity indices. Milberg et al. (2000) sampling the views of approximately 900 ISACA members in 30 countries on selected security concerns and privacy issues did not find any significant differences between the participants on three dimensions of national culture: power distance, UAI, and individuality. 3. Hypotheses formulation Four hypotheses will be formulated to test the veracity of Q1. Hofstede (2001) suggests that countries with low-UAI scores tend to be associated with low levels of anxiety and stress. Such countries tend to fare well when it comes to risk-taking. In contrast, countries with high scores on the UAI tend to exhibit high levels of anxiety and stress. Thus, one might expect security concerns to be higher in the latter group of countries when compared with the former. Further, countries exhibiting strong UAI tend to be averse to the adoption of innovations (Hofstede, 2001; Milberg et al., 2000) and it is likely that this extends to IT security-related innovations. It is hypothesized that: H1. GFSI respondents in high “uncertainty avoidance” countries will exhibit higher levels of concern for the key security issues investigated. Hofstede (2001) found that technological adoption is higher in countries with a low-power index. Waarts and van Everdingen (2006, p. 305) note that “centralized decision structures, authority and the use of formal rules are often the characteristics of

organizations in countries with a high degree of power distance.” New ideas and innovations tend to diffuse faster in countries with a low “power distance” (Shane, 1993; Png et al., 2001). Thus, in countries with high-power distance scores, employees are expected to take initiatives from those in authority. This is not true for employees in low-power distance countries who respond with spontaneity (Hofstede, 2001). Bjo¨rck and Jiang (2006) found differences between two different countries on this indicator when assessing IT security implementations. It is hypothesized that: H2. GFSI respondents in high “power distance” countries will exhibit higher levels of concern for the key security issues investigated. Kovacˇic´ (2005, p. 147) asserts that: [. . .] it could be argued equally well that in a country with high masculinity there would also be a positive attitude toward implementing ICTs [and new ideas related to IT security management] if these technologies improve performance, increase the chance of success and support competition, which are all key factors of a masculine culture.

It is likely that the acceptance of new practices, including those related to IT security concerns will be lower in less-masculine cultures. Similarly, Bjo¨rck and Jiang (2006) found MAS to be a significant differentiator in IT security implementation in the two countries that they studied. It is hypothesized that: H3. GFSI respondents in high “masculinity” countries will exhibit higher levels of concern for the key security issues investigated. Evidence has shown that countries/regions of the world with higher individualism –, i.e. low IND scores – tend to have higher capabilities when adopting new practices and innovations (Shane, 1993; Myers and Tan, 2002). These countries, which emphasize individualism, also tend to exhibit the belief that everyone has the right to privacy. Any interference with an individual’s privacy is frowned upon (Walczuch et al., 1995; Hofstede, 2001). The study by Walczuch et al. (1995) showed that countries with national attributes that highlight the dignity of the individual tend to uphold privacy and security concerns in the trans-border data flow. The foregoing discussion permits the prediction that: H4. GFSI respondents in high “individualistic” countries will exhibit higher levels of concern for the key security issues investigated. 4. Research methodology and data sources As was alluded to above, the main data (IT security and privacy issues in GFSI) used in this study came from the DTT-Global Security Survey (2007). In other words, the data are from a secondary source. The 13 security concerns and issues spanning strategic and operational areas used in the study are presented in Table II. The cultural dimensions of the selected countries were obtained from the work of Hofstede (2001), which is available online (ITIM, 2008). With the exception of Japan, Canada, and the USA, an effort was made to include at least two countries from each identified region in the DTT survey. However, as a request sent to the DTT researchers for a list of all the countries was declined, we were only able to draw from those countries mentioned informally in the DDT study. As a result, our sample is comprised of 17 countries rather than the 32 that the original DTT survey used. Importantly,

IT security management concerns in GFSI 379

IMCS 17,5

380

other researchers (Bagchi et al., 2006) have used limited samples of countries to investigate a comparable theme. Other contextual information related to the DTT survey and pertinent to this study is as follows: their data came from 169 major GFSI, of which 29 percent were among the top 100 global financial institutions, 26 percent were among the top 100 global banks, and 14 percent were among the top 50 global insurance companies. The annual revenues of the respondents’ companies ranged from less than $1 billon to over $15 billion. The unit of analysis of the DTT survey was the organization as respondents were asked to give perceptions representative of their organizations’ views or standing on the issues being investigated. The 2007 DTT survey notes that due to the diverse nature of the institutions they surveyed, they resorted to using a qualitative format to capture their data, which were subsequently presented in percentages. The 2007 DTT report stressed that their results were by no means representative of each of the identified regions in their study. Importantly, other practitioners investigating similar themes as the DTT security surveys have presented analogous insights (PricewaterhouseCoopers, 2008). Thus, the face validity of the DTT survey is assured. In this study, SPSS 14.0 was used for data analysis. For Q1 (and its set of hypotheses), we used a nonparametric test, Kruskal-Wallis H, to assess the veracity of the predictions. For Q2, we used Person’s correlation analysis to assess the strength of the relationships between 13 IT security concerns and issues and the four dimensions of national culture. 5. Data analysis and results First, the tests of hypotheses H1-H4 using the Kruskal-Wallis H, significant at the p , 0.05 level, indicated that there were no statistically significant differences on the 13 IT security concerns and issues when the four dimensions of national culture were used to group the responses. Second, with regard to relationships between the IT security issues and the dimensions of national culture, the results showed that that only seven relationships of the correlations yielded statistically significant results. The correlations results are highlighted in Table III. Note there are 52 (13 £ 4) possible relationships in the correlation matrix. The numbers in italics fonts are the ones with statistical significance. Each of the significant relationships will be discussed in the next section. 6. Discussions and conclusion Not much has been written about IT security concerns in relation to national culture. The main purpose of this study was to investigate whether national culture does matter in the perceptions of certain IT security concerns and issues across GFSI. As prior literature has suggested that the acceptance of new practices, innovations, etc. across countries/regions is often influenced by differences in national cultural values, norms, and attitudes, we posited that the same would be true of security concerns in the financial services industry (the focus on the financial services industry is necessitated by the evidence suggesting that threats in this industry are deserving of separate attention). Our analyses of the data presented in the DTT survey showed that there are no significant differences on the thirteen IT security concerns investigated across the GFSI in the DTT survey when the responses were grouped by Hofstede’s four

PDI a1 a2 a3 a4 a5 a6 a7 a8

a9 a10 a11 a12 a13

GFSI who feel that security has risen to the C suite or board as a critical area of business GFSI possessing a security strategy GFSI whose information security strategy is led and embraced by line and functional business leaders GFSI who have incorporated application security and privacy as part of their software development lifecycle GFSI who feel they have both commitment and funding to address regulatory requirements GFSI who feel that government driven security regulations are effective in improving security posture in their industry GFSI who have security linked to their IT security employee’s appraisals GFSI who feel they presently have both the required skills and competencies to respond effectively and efficiently to foreseeable security requirements GFSI whose employees have required at least one training and awareness session on security and privacy in the last 12 months GFSI who have an executive responsible for privacy GFSI who have a program for managing privacy compliance GFSI who have experienced repeated internal breaches over the last 12 months GFSI who have experienced repeated external breaches over the last 12 months

IDV

MAS

UAI

0.018 0.383

0.016 20.386

2 0.400 0.041

0.162 0.494 *

0.021

0.023

2 0.190

0.512 *

20.329

0.074

0.404

2 0.242

20.087

0.157

0.426

2 0.226

0.594 * 20.478

2 0.415

0.245

20.017

0.029

2 0.224

0.119

20.290

0.190

0.149

0.423

20.418

0.565 *

0.332

2 0.118

20.162

0.252

0.320

2 0.445

20.115

0.280

0.251

2 0.510 *

0.015

0.236

2 0.597 *

2 0.397

20.113

0.282

2 0.408

2 0.651 * *

Notes: Correlation is significant at: *0.05 and * *0.01 two-tailed levels, respectively

dimensions of national culture. When interpreting this finding, we suggest that caution be exercised as it is possible that there are inherent limitations that need to be put into perspective. Our results seem to be echoing those of Milberg et al. (2000) in failing to find any significant differences in the overall level of information privacy concerns vis-a`-vis Hofstede’s cultural dimensions. More significantly, our results may be affirming the notion that most GFSI tend to comply with, and follow, similar practices across the financial services industry. That is, in this era of globalization, the acceptance of innovative practices especially those related to IT security and privacy in GFSI may not be open to influences arising out of national cultural norms, attitudes, and values; internal and industry considerations may be more compelling. Based on the data presented in the DTT Global Security Survey, we assert that the petitioned GFSI, regardless of the culture of their location, seem to hold comparable views on IT security concerns and issues in their industry. This study also found seven significant relationships among the study’s variables. These are discussed as follows.

IT security management concerns in GFSI 381

Table III. Correlations between IT security concerns and the dimensions of national culture

IMCS 17,5

382

First, the correlation analysis revealed that GFSI possessing a security strategy tend to exist more in countries with relatively high-UAI scores. GFSI in such countries may hold the belief that risks, threats, and uncertainties can be attenuated through the acquisition of security strategies. On the other hand, GFSI from low UAI scores may not hold such beliefs. Second, the data suggested that countries with high-UAI scores house more “GFSI whose information security strategy is led and embraced by line and functional business leaders.” This could be interpreted to mean that GFSI employees from relatively high-UAI countries may have a greater need for a “security champion” to direct IT security vision and strategies than their counterparts with low-uncertain avoidance indices. Third, the correlation analysis showed that respondents in GFSI from high-power distance countries “feel that government driven security regulations are effective in improving security posture in their industry” more than their counterparts from high-power distance countries. This finding is consistent with the literature indicating that the views of those in authority matter in such countries (Hofstede, 2001). Fourth, with respect to the issue of “GFSI whose employees have required at least one training and awareness session on security and privacy in the last 12 months,” the data analysis showed that GFSI employees in individualistic cultures fared better (had more training) than their counterparts from group-oriented cultures. Fifth, the data showed that “GFSI who have a program for managing privacy compliance” are more likely to operate in cultures with relatively low-UAI scores. That is, GFSI located in cultures that are able to entertain uncertainties and risks pay more attention to privacy compliance concerns. The foregoing five observations and results lend credence to the views espoused by Hofstede (2001) and others (Shane, 1993; Walczuch et al., 1995; Png et al., 2001; Waarts and van Everdingen, 2006; Erunbam and de Jong, 2006; Bjo¨rck and Jiang, 2006). Sixth, “GFSI who have experienced repeated internal breaches over the last 12 months” appear to operate in less masculine cultures. This permits the suggestion that security concerns may be less linked to the interplay of power. Seventh, “GFSI who have experienced repeated external breaches over the last 12 months” were found in countries with high-UAI scores. This is not surprising given that such societies have a low tolerance for threats and risks. Thus, it is possible that GFSI based in countries/regions with high-UAI index scores pay more attention to, and readily report, breaches than do counterparts from other regions. This study provides implications for both researchers and practitioners alike. Theoretically, it is among the first of its kind to investigate whether national culture does have any relevance when assessing security concerns in GFSI. The findings of this study offer preliminary insights that could serve as basis for future inquiry in the area. Empirical studies in this area of study are scarce. In this regard, this endeavor may stimulate future research. Of note, the results lend credence to the findings of Milberg et al. (2000) who suggested that national cultural values might not totally matter in the evaluation of information security concerns. On the other hand, our insight is at variance with those espoused by Dinev et al. (2008) who noted that national culture is significantly important for moderating the security concerns and behaviors of end-users. The dissenting viewpoints may be due to the differing participants in both studies. The DTT survey, which this study benefited from, used management teams’ perceptions of security concerns whereas the Dinev et al. study

focused on end-users’. In fact, the literature has shown that both groups, more often than not, hold differing perspectives on IT-related issues (Ifinedo, 2007). In light of the repeated significance in the relationship between UAI and various IT security concerns, we are impelled to postulate that UAI is an important dimension of culture that researchers should pay more attention to when investigating IT security concerns vis-a`-vis national culture. We concur with the conclusions made by Bjo¨rck and Jiang (2006) and Bagchi et al. (2006) as to the relative importance of the UAI dimension. More importantly, the conclusions we offer are by no means final as more research on this theme is expected. Our research offer practical implications as well. On the basis of the data provided by the DTT survey and the subsequent analysis performed herein, we support the notion that the acceptance of practices and industry-related standards, including those related to IT security concerns and issues, seems to be uniform in the financial services industry. As a consequence, corporate managers could avail themselves of this information as they implement IT security policies in the regions and countries in which they have operations. Perceptions of threats, risks, and responses to such issues appear to be the same across board. This information may be crucial for planning and control in the industry as managers need not bother themselves with developing and implementing different IT security policies and strategies depending on the cultural values in which they operate. We contend that policies, practices, and procedures formulated at the international level may be fit for such purposes (OECD, 2005). GFSI managers also stand to benefit from the information provided in this research with regard to relationships between security concerns and some cross-cultural dimensions. Such insights may serve as input for decision-making in the industry. There are limitations to this study. First, it inherits all the limitations in the DTT study. Data analysis might have been more robust were the data presented on the Likert scale rather than in percentages. Future study may consider using the Likert scale to facilitate research replication. Another replicated shortcoming in the DTT survey and data presentation is the lumping together of countries from the Middle East, Africa, and Europe. Data from The World Bank (2007) suggest that this exercise might be misleading given the disparity in national development across these regions. Third, the DTT study did not provide explicit information about the countries from which they received responses. Fourth, a larger sample of countries, more than 17, might permit deeper understanding. Fifth, it is difficult to say with certainty whether the findings in the DTT survey applies to all work groups. As was noted, the views of end-users on such issues may differ from those of management team. Sixth, there is a fundamental flaw in Hofstede’s work wherein “culture” in a nation-state is assumed to be monolithic (Myers and Tan, 2002). It is a known fact that in any single nation there are many different cultures. Regardless of the limitations of this present study, it nonetheless serves to add to the growing body of knowledge on the security concerns in the financial services industry. Future research directions may want to know whether socio-economic factors could differentiate IT security concerns across GFSI. The end-users’ views on security concerns in GFSI should be considered to enhance insight. This study used a cross-section data for its analysis; future inquiry should employ the longitudinal study approach. Note 1. The latest in the DTT series was released in February 2009 just before this paper was accepted for publication.

IT security management concerns in GFSI 383

IMCS 17,5

384

References Alexander, K., Rahul Dhumale, R. and Eatwell, J. (2004), Global Governance of Financial Systems: The International Regulation of Systemic Risk, Oxford University Press, Oxford. Arestis, P., Baddeley, M. and McCombie, J. (2003), Globalisation, Regionalism and Economic Activity, Edward Elgar, Cheltenham. Bagchi, K., Kirs, P. and Cerveny, R. (2006), “Global software piracy: can economic factors alone explain the trend?”, Communications of the ACM, Vol. 49 No. 6, pp. 70-5. Bank of Japan (2007), “The importance of information security for financial institutions and proposed countermeasures”, available at: www.boj.or.jp/en/type/release/zuiji/kako02/ data/fsk0004b.pdf Berger, N. and DeYoung, R. (2001), “The effects of geographic expansion on bank efficiency”, Journal of Financial Services Research, Vol. 19 No. 2, pp. 163-84. Berger, N. and Humphrey, D.B. (1997), “Efficiency of financial institutions: international survey and directions for future research”, European Journal of Operational Research, Vol. 98 No. 2, pp. 175-212. Bjo¨rck, J. and Jiang, K.W.B. (2006), “Information security and national culture: comparison between ERP system security implementations in Singapore and Sweden”, Master degree thesis, Royal Institute of Technology, Stockholm. Bodley, J.H. (1994), Cultural Anthropology: Tribes, States, and the Global System, Mayfield, Mountain View, CA. Business Wires (2005), “ICT spending on eBanking is set to surge as banks refresh existing eBanking platforms and re-engineer existing eBanking processes”, available at: http:// findarticles.com/p/articles/mi_m0EIN/is_2005_August_30/ai_n14936833 Chaturvedi, M., Gupta, M., Mehta, S. and Valeri, L. (2000), “Fighting the Wily Hacker: modeling information security issues for online financial institutions using the SEAS environment”, Proceedings of Inet 2000, available at: www.isoc.org/inet2000/cdproceedings/7a/7a_4.htm Computer Crime and Security Survey (2007), CSI Computer Crime and Security Survey 2007, Computer Security Institute, San Francisco, CA, available at: www.gocsi.com Dhillon, G. and Backhouse, J. (2001), “Current directions in IS security research: toward socio-organizational perspectives”, Information Systems Journal, Vol. 11 No. 2, pp. 127-53. Dinev, T., Goo, J., Hu, Q. and Nam, K. (2008), “User behavior towards protective technologies – the role of national cultural differences”, Information Systems Journal, Vol. 31 No. 1, pp. 1365-2275. Doherty, N.F. and Fulford, H. (2005), “Do information security policies reduce the incidence of security breaches: an exploratory analysis”, Information Resources Management Journal, Vol. 18 No. 4, pp. 21-39. DTT-Global Security Survey (2006), The Global Security Survey 2006, Deloitte Touche Tohmatsu, New York, NY, available at: www.deloitte.com/dtt/cda/doc/content/CA_FSI_2006% 20Global%20Security%20Survey_2006-06-13.pdf DTT-Global Security Survey (2007), The Global Security Survey, 2007, Deloitte Touche Tohmatsu, New York, NY, available at: www.deloitte.com/dtt/cda/doc/content/ca_en_ Global_Security_Survey.final.en.pdf EDS (2007), Eight Financial Services Security Concerns, available at: www.eds.com/news/ features/3620 Erunbam, A.A. and de Jong, S.B. (2006), “Cross-country differences in ICT adoption: a consequence of culture?”, Journal of World Business, Vol. 41 No. 4, pp. 302-14.

Goodhue, D.L. and Straub, D.W. (1991), “Security concerns of system users: a study of the perceptions of the adequacy of security”, Information & Management, Vol. 20 No. 1, pp. 13-22.

IT security management concerns in GFSI

Gupta, M., Rao, R. and Upadhyaya, S. (2004), “Electronic banking and information assurance issues: survey and synthesis”, Journal of Organizational and End User Computing, Vol. 16 No. 3, pp. 1-21.

385

Geertz, C. (1973), The Interpretation of Cultures, Basic Books, New York, NY.

Hee, J., Chen, Y. and Huang, W. (2003), “Straight through processing technology in global financial market: readiness assessment and implementation”, Journal of Global Information Management, Vol. 11, pp. 56-66. Hofstede, G. (2001), Culture’s Consequences: Comparing Values, Behaviors, Institutions, and Organizations across Nations, 2nd ed., Sage, Thousand Oaks, CA. Ifinedo, P. (2007), “An empirical study of ERP success evaluations by business and IT managers”, Information Management & Computer Security, Vol. 15 No. 4, pp. 270-82. Ifinedo, P. (2008), “IT security and privacy issues in global financial services institutions: do socio-economic and cultural factors matter?”, paper presented at Sixth Annual Conference on Privacy, Security and Trust (PST2008), New Brunswick, NJ, October 1-3. Ifinedo, P. (2009), “Information technology security concerns in global financial services institutions: do socio-economic factors differentiate perceptions?”, International Journal of Information Security and Privacy, Vol. 3 No. 2. Information Security Industry Survey (1999), Information Security Magazine, available at: www. infosecuritymag.com (accessed July). ISO/TR 13569 (2005), Financial Services – Information Security Guidelines, available at: www.iso. org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber¼3724 ITIM (2008), Geert Hofstede Cultural Dimensions, available at: www.geert-hofstede.com/ hofstede_dimensions.php Johnson, H.J. (2000), Global Financial Institutions and Markets, Blackwell, New York, NY. Jung, B., Han, I. and Lee, S. (2001), “Security threats to internet: a Korean multi-industry investigation”, Information and Management, Vol. 38 No. 8, pp. 487-98. Kankanhalli, A., Tan, B.C.Y., Weia, K-K. and Holmes, M.C. (2004), “Cross-cultural differences and information systems developer values”, Decision Support Systems, Vol. 38 No. 5, pp. 183-95. Kankanhalli, A., Teo, H.H., Tan, B.C.Y. and Wei, K-K. (2003), “An integrative study of information systems security effectiveness”, International Journal of Information Management, Vol. 23 No. 2, pp. 139-54. Kovacˇic´, Z.J. (2005), “The impact of national culture on worldwide e-Government readiness, informing science”, International Journal of an Emerging Discipline, Vol. 8, pp. 43-158. Kruck, S.E. and Teers, F.P. (2008), “Computer security practices and perceptions of the next generation of corporate computer users”, International Journal of Information Security and Privacy, Vol. 2 No. 1, pp. 80-90. McPhee, D. (2008), “Information technology infrastructure library and security management overview”, in Tipton, H.F. and Krause, K. (Eds), Information Security Management Handbook, Taylor & Francis, Boca Raton, FL. Milberg, S., Smith, H.J. and Burke, S. (2000), “Information privacy: corporate management and national regulation”, Organization Science, Vol. 11 No. 1, pp. 35-57.

IMCS 17,5

386

Milberg, S., Burke, S., Smith, H.J. and Kallman, E.A. (1995), “Values, personal information privacy, and regulatory approaches”, Communications of the ACM, Vol. 38 No. 13, pp. 65-74. Moshirian, F. (2007), “Financial services and a global single currency”, Journal of Banking & Finance, Vol. 31 No. 1, pp. 3-9. Myers, M.D. and Tan, F.B. (2002), “Beyond models of national culture in information systems research”, Journal of Global Information Management, Vol. 10 No. 1, pp. 24-32. OECD (2005), “The promotion of a culture of security for information systems and networks in OECD countries”, DSTI/ICCP/REG(2005)1/FINAL, OECD, Paris, available at: www.oecd. org/dataoecd/16/27/35884541.pdf Png, I.P.L., Tan, B.C.Y. and Wee, K.-L. (2001), “Dimensions of national culture and corporate adoption of IT infrastructure”, IEEE Transactions on Engineering Management, Vol. 48 No. 1, pp. 36-45. PricewaterhouseCoopers (2008), The Global State of Information Security Survey 2008, PricewaterhouseCoopers, London, available at: www.pwc.com/extweb/home.nsf/docid/ c1cd6cc69c2676d4852574da00785949 Schatz, D. (2008), “Setting priorities in your security program”, in Tipton, H.F. and Krause, K. (Eds), Information Security Management Handbook, Taylor & Francis, Boca Raton, FL. Schmidt, M.B., Johnston, A.C., Arnett, K.P., Chen, J.Q. and Xi’an, S.L. (2008), “A cross-cultural comparison of US and Chinese computer security awareness”, Journal of Global Information Management, Vol. 16 No. 2, pp. 91-103. Shane, S.A. (1993), “Cultural influences on national rates of innovation”, Journal of Business Venturing, Vol. 8 No. 1, pp. 59-73. Siponen, M.T. (2005), “A conceptual foundation for organizational information security awareness”, Information Management & Computer Security, Vol. 8 No. 1, pp. 31-41. Straub, D.W. and Welke, R.J. (1998), “Coping with systems risk: security planning models for management decision making”, MIS Quarterly, Vol. 22 No. 4, pp. 441-70. Waarts, E. and van Everdingen, Y. (2006), “The influence of national culture on the adoption status of innovations: an empirical study of firms across Europe”, European Management Journal, Vol. 25 No. 6, pp. 601-10. Walczuch, R.M., Singh, S.K. and Palmer, T.S. (1995), “An analysis of the cultural motivations for transborder data flow legislation”, Information Technology & People, Vol. 8 No. 2, pp. 37-57. Willison, R. and Backhouse, J. (2006), “Opportunities for computer crime: considering systems risk from a criminological perspective”, European Journal of Information Systems, Vol. 15 No. 4, pp. 403-14. (The) World Bank (2007), Development Data and Statistics, The World Bank, Washington, DC, available at: http://web.worldbank.org/ Yeh, Q.-J. and Chang, A.J.-T. (2007), “Threats and countermeasures for information system security: a cross-industry study”, Information and Management, Vol. 44 No. 5, pp. 480-91. About the author Princely Ifinedo is an Assistant Professor at the Shannon School of Business, Cape Breton University, Canada. He earned his PhD in Information Systems Science from the University of Jyva¨skyla¨, Finland. He also holds an MBA in International Management from Royal Holloway College, University of London, UK, an MSc in Informatics from Tallinn University of

Technology, Estonia and a BSc in Mathematics/Computer Science from the University of Port-Harcourt, Nigeria. His current research interests include e-learning, e-business, e-government, ERP success measurement, social informatics, IT/business alignment, and the diffusion of IS/IT in developing countries and transiting economies (Sub-Saharan Africa and the Baltic). He has presented at various international IS conferences and his works have appeared in such journals as Journal of Computer Information Systems, Enterprise Information Systems, Journal of Information Technology Management, Information for Development, and Journal of Global Information Technology Management. He has authored (and co-authored) 60 peer-reviewed papers. He is affiliated with AIS, ASAC, DSI, and ACM. Princely Ifinedo can be contacted at: [email protected]

To purchase reprints of this article please e-mail: [email protected] Or visit our web site for further details: www.emeraldinsight.com/reprints

IT security management concerns in GFSI 387