Variations in Information Security Cultures across Professions: A Qualitative Study

The importance of culture in helping explain and understand behavior is generally accepted. Scholars in the area of information security have argued that security culture is a key factor in safeguarding information assets. Scholars in the area of professional culture have argued that differences in cultures across professions must be accounted for, in correctly assessing the influence of culture. Combining these arguments, we suggest that differences in security cultures across professions need to be examined to fully comprehend the influences of security culture. The current study uses a qualitative approach to further the understanding of information security cultures across four professions: Information Systems, Accounting, Human Resources, and Marketing. The concept of security culture is articulated, and the security cultures of the four professions are characterized to demonstrate that there are significant variations in security culture across these professions. The study also shows that information security continues to be viewed as a technical problem, that even the most conservative and rule-compliant groups may violate security rules under performance pressure, and that awareness by itself is not sufficient to build a strong security culture.