ENFORCING INFORMATION SECURITY POLICIES THROUGH CULTURAL BOUNDARIES: A MULTINATIONAL COMPANY APPROACH

Transcription

1 Association for Information Systems AIS Electronic Library (AISeL) ECIS 2011 Proceedings European Conference on Information Systems (ECIS) Summer ENFORCING INFORMATION SECURITY POLICIES THROUGH CULTURAL BOUNDARIES: A MULTINATIONAL COMPANY APPROACH Ali Yayla Follow this and additional works at: Recommended Citation Yayla, Ali, "ENFORCING INFORMATION SECURITY POLICIES THROUGH CULTURAL BOUNDARIES: A MULTINATIONAL COMPANY APPROACH" (2011). ECIS 2011 Proceedings This material is brought to you by the European Conference on Information Systems (ECIS) at AIS Electronic Library (AISeL). It has been accepted for inclusion in ECIS 2011 Proceedings by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contact elibrary@aisnet.org.

2 ENFORCING INFORMATION SECURITY POLICIES THROUGH CULTURAL BOUNDARIES: A MULTINATIONAL COMPANY APPROACH Yayla, Ali Alper, School of Management, PO Box 6000, Binghamton University-SUNY, Binghamton, NY, 13902, USA, ayayla@binghamton.edu Abstract Information security policies can be considered as guidelines and used as a starting point to create a security structure within an organization. Although practitioners continuously emphasize the importance of such policies, information system scholars have not paid the required attention to this context from the cross-cultural perspective. The purpose of this study is to look at the cultural and institutional differences of a multinational company (MNC) and its subsidiaries, and discuss how these differences affect the MNC s strategy to enforce corporate information security policies to its subsidiaries in different cultural settings. The proposed framework considers the effects of the cultural distance, national economy, institutional distance, and stickiness of the knowledge transfer on the process of enforcing information security policies from the parent company to its subsidiaries. Keywords: Information security, Information security policy, Cultural distance, Institutional distance, Knowledge transfer, Stickiness

3 1 Introduction Today, ensuring availability, integrity and confidentiality of information and data concerns many organizations. Deterrence can be one of the initial steps that organizations can take to ensure information security (Straub and Welke, 1998). However, successful deterrence depends on organization s ability to control its environment with respect to internal and external threats. Information security policies define the nature of these controls (i.e., technical, formal and informal controls) and how these controls complement each other (Dhillon, 1999). Moreover, security policies govern how organizations information should be protected (Kabay, 2002; Barman, 2002). Whitman (2004) posits that a good security policy needs to outline individual responsibilities, define authorized and unauthorized uses of the systems, provide venues for employee reporting of identified or suspects threats to the system, define penalties for violations, and provide a mechanism for updating policy (p.52). Enforcing corporate security policies has been reported as one of the most effective ways to prevent or reduce electronic crime (Gordon et al., 2004). Overall, security policies can be considered as guidelines and can be used as a starting point for creating a security structure within an organization (Whitman, 2004). The nature of multinational companies (MNCs) adds a layer of complexity to enforcing security policies because MNCs need to consider the effects of different cultural and organizational settings and integrate these in their corporate security policies. Basing his arguments on Hofstede s cultural dimensions, Abdul-Gader (1997) emphasized culture as one of the most important environmental factors that MNCs should consider while adopting global Information Systems (IS) policies in Arab Gulf countries. He postulated that misconceptions of understanding about fate in the Islamic context and the technical capability of the Arab language are some of the issues that need to be considered by MNCs. However, management practices do not have to be different just because subsidiaries and parent company are in different countries and cultural settings. In their study, for instance, Anakwe et al. (2000) concluded that organizational support enhances microcomputer usage in Nigeria. Their result found support in other studies which demonstrated that similar management practices can be effective in different cultural settings (Igbaria, et al. 1995; Igbaria, 1992). Although practitioners continuously emphasize the importance of security policies, IS scholars have not paid the required attention to this context from the cross-cultural perspective. For instance, in their citation analysis of IS articles, Ford et al. (2003) found 57 articles about various contexts of IS that cited Hofstede s research on national culture. Further analyses showed that IS Management area led with 25 articles. Within this research stream, however, no study cited Hofstede s work in the IS Risk Management context. We aim to fulfil this gap by looking at cultural and institutional differences of an MNC and its subsidiaries and by investigating how these differences affect the MNC s strategy to enforce corporate security policies to its subsidiaries in different cultural settings. More specifically, we will discuss cultural distance, institutional distance, and the stickiness of the knowledge transfer and offer series of propositions. Our goal is to make a unique contribution to the IS security literature by focusing on the issues to be considered while enforcing information security policies within the MNC framework. 2 Theoretical Framework According to Minbaeva et al. (2003), MNCs can develop knowledge in one location and exploit it in another location through internal transfer of knowledge. One way of creating competitive advantage for MNCs is effectively sharing organizational practices (Jensen and Szulanski, 2004). For example, in the strategy literature, organizational practices and routines are considered as important sources of

4 competitive advantage since these assets are difficult to replicate (Jensen and Szulanski, 2004). Considering that organizational know-how is an important part of a MNC s global integration strategy, its competitive advantage partly resides in the effectiveness of sharing these practices and routines. MNCs are generally under different external and internal pressures. Externally, MNCs have to consider the institutional, cultural, and economic environments in multiple countries and have to be isomorphic with the local institutional environment to maintain their legitimacy (Kostova and Roth, 2002). Establishing and maintaining legitimacy in their multiple host environments is critical for companies that span various countries (Kostova and Zaheer, 1999). Internally, MNCs have to create consistency among their subsidiaries by leveraging activities worldwide to retain their competitive advantages (Kostova and Roth, 2002). We postulate that the process of enforcing information security policies to subsidiary companies would be affected by the cultural and institutional distances between the parent company and the subsidiary company. Moreover, the stickiness of the information security context would further affect this process. Figure 1 presents the framework of our study. Cultural Distance Institutional Distance Parent Company Enforcing Information Security Policies Subsidiary Company Stickiness Figure 1: The proposed framework for enforcing information security policies in multinational companies The main goal of information security policies is to provide a set of rules and guidelines to protect the organization from security breaches. Under the umbrella of this goal, organizations can have variety of security policies addressing different issues such as identification and authorization, Internet access, contingency planning, and even social networking. Although MNCs can span across continents, the interconnectedness of IT emphasizes the importance of enforcing information security policies on subsidiaries by the parent companies. Such that, a security breach or comprise of access rights at the subsidiary company can easily target the parent company through privilege escalation or social engineering. While transferring the actual information security policies consists of a simple process of sending the policies to the subsidiary companies, it is the implications of adhering with the requirements of such policies that create the difficulties in enforcing them. Security policies have unique features that separate them from other management practices. For instance, where a human resources practice focuses on recruiting, compensation, and performance appraisal, security policies can outline configuration of intrusion detection systems, management of cryptography keys, and designing secure infrastructure. Thus, in addition to traditional difficulties as a result of differences in norms, ethics and values, the technical requirements embedded in information security policies create the unique challenges in transferring and enforcing these policies to subsidiaries.

5 2.1 National Culture and Cultural Distance Various cross-cultural studies reported that there is a certain level of cultural coherence within the majority of nations (Hofstede and Peterson, 2000). The concepts that describe a nation s culture can be derived from Hofstede s (1980) study across 40 nations. The proposed four culture dimensions from his study are power distance, individualism versus collectivism, masculinity versus femininity, and uncertainty avoidance. The cultural distance (Kogut and Singh, 1988) is derived as a composite index from Hofstede s culture dimensions and widely used in international business and various other business disciplines (Shenkar, 2001). Literature suggests that the cultural distance can affect various organizational level decisions including choice of entry mode of the MNC (Kogut and Singh, 1988), performance of alliances (Sirmon and Lane, 2004), distributed justice values (Giacobbe-Miller et al., 2003), and human resources management practices (Liu, 2004). These studies conclude that cultural dimensions and cultural distance index have a central role in MNCs global strategy. The cultural dimensions have substantial importance in the success of enforcing security policies from the parent company to its subsidiaries as well. From the power distance perspective, it is important to look at the effects of restrictions outlined in security policies. Access controls, for example, can be considered as an effective measurement that is enforced by certain security policies. These controls restrict users from series of actions such as downloading files from the Internet, installing programs, and accessing certain parts of a computer network (Barman, 2002; Wakefield, 2004; Kabay, 2002). With respect to enforcing security policies, these restrictions may be problematic in high power distance cultures because adoption of power reducing technologies would be limited in such cultures (Straub et al., 1997). Hofstede (1980, 1997, 2001) posits that masculine societies put more stress on careers. This may lead masculine societies being performance oriented. Therefore, any technological or policy-based change in organizations that may hinder performance would create conflicts in masculine societies. Technologies outlined in security policies such as firewalls, antivirus programs, and passwords are generally considered as having negative effects on performance (Bace, 2002; Barman, 2004; Brussin, 2002; Cobb, 2002; Sandhu, 2002). Therefore, enforcing security policies to masculine societies may compromise certain drawbacks. Moreover, security policies reduce ambiguity by outlining certain rules and procedures. The salience of these policies depends on the society s level of uncertainty. Weak uncertainty avoidance societies are in favor of less formalization and standardization, whereas in strong uncertainty avoidance societies, there is an emotional need for rules (Hofstede, 1997). Therefore, this cultural dimension also has an impact on enforcing security policies to subsidiaries. Furthermore, security policies may require actions such as monitoring messages, recording keystrokes and collecting private data (Levine, 2002). Similarly, these policies may outline procedures for disciplining computer abusers in organizations (Barman, 2002). The tolerance level for these issues may differ across societies with respect to the individualism/collectivism dimension. Considering that cultural distance index captures the effects of all four cultural dimensions, MNCs that have big differences in this index compared to their subisidiaries would require different approaches in enforcing security policies. This leads to our first proposition; P1a: High cultural distance between the parent company and its subsidiaries will have a negative effect on the process of enforcing information security policies to the subsidiary companies. According to Hofstede and Peterson (2000) and Hofstede (2001) the cultural dimensions are useful and essential, however, they provide only limited detail. Gross national product, given as an example, often matters more than national culture in the national difference context. Parallel to this line of

6 thought, digital divide may be considered as an important factor in enforcing security policies to subsidiaries. Some of the limited examples on digital divide point out the potential effects of differences in national economies. For example, Dewan et al. (2004) demonstrated the importance of digital divide on cross-cultural IT penetration. Checchi et al. (2003) posited that governments play a central role in the implementation of IT policies. However, in less developed countries, the role of governments becomes more salient, as regional agencies, such as industrial/professional associates and international agencies step up into the policy making stage. In another study, Ehikamenor (2002) posited that some of the important factors that inhibit the application of information and communication technologies in Nigeria are inflation, low GDP, and exchange rates. Moreover, enforcing security policies in less developed countries would be problematic in terms of meeting the requirements of such policies. One problem is the availability of skilled IT staff. Organizations in less developed countries may not have enough human resources or capital to train their IT staff to meet the requirements. Another problem is the availability of necessary technology. For instance, required hardware and software products may not be available in less developed countries. These issues concerning countries economic viability lead us to our next proposition; P1b: Differences in the national economy of the parent company and its subsidiaries will have a negative effect on the process of enforcing information security policies to the subsidiary companies. 2.2 Institutional Theory and Institutional Distance The institutional theory (Scott, 1995) considers the institutional environment as the key determinant of the firm structure and its behavior. In their review of the institutional theory, Xu and Shenkar (2002) discussed that the theory has been supported in unitary and domestic environments and received less support in more complex environments where different institutional demands exist and where strategic choices are important. One of the research streams in this literature involves the interorganizational issues. This stream of research is critical from MNCs perspective since these companies feel pressure from two different sides: global integration and local orientation (Westney, 1983). This dual pressure is also discussed by Rosenzweig and Singh (1991) as the subsidiaries of a multinational enterprise try to keep the isomorphism with their local environments and at the same time keep the internal consistency within the enterprise. Gomez and Werner (2004) also considered the effects of double sided pressure on MNCs and investigated how similarities in management styles of parent and subsidiary companies have an effect on the performance of the subsidiaries. This study has the advantage of having all the subsidiaries in one country, and therefore, substituting the potential confounding effect of national culture. Their results were consistent with the literature and emphasized the point that management styles should be congruent with the national culture in which the subsidiary resides. Scott (1995) defined three pillars of the institutional theory as regulative pillar - the rules and laws to ensure stability of societies, normative pillar - the similarities between the value creation of organizations and the societal values, and cognitive pillar - the degree of consistency between organizations and existing structures of the society (Kostova and Zaheer, 1999; Busenitz et al., 2000). Following this framework, Kostova (1996, 1999) developed the institutional distance construct. The institutional distance can be considered as an alternative explanation of MNC behavior to the cultural distance. The institutional distance is the extent of dissimilarities between host and home organizations. In other words, it is the difference among the regulatory, normative and cognitive institutions of two countries (Kostova, 1996). According to the findings of Kostova and Zaheer (1999), the larger the institutional distance, the more difficult it is for the MNC to establish and maintain its legitimacy in the host country. Another effect of institutional distance is on the recipient s

7 (subsidiary) motivation. On their study, Jensen and Szulanski (2004) found significant negative relationship between the institutional distance and the recipient s motivation. Kostova and Roth (2002) further refined Scott s (1995) three pillars to introduce the concept of institutional profile. They posited that the institutional profile of a host country may affect the adoption of practices at a foreign subsidiary through the direct institutional pressure on the subsidiary to adopt the practice (p. 217). Adoption of practices may also be accomplished through subsidiary s employees since institutional theorists advocate that people in organizations are sources of the institutional elements. As discussed, subsidiaries experience institutional duality because they feel pressure to reside in parent company s institutional environment and also to create isomorphism with their own environment. Kostova and Roth (2002) discuss that this relational context between the parent and subsidiary company also influences the adoption of practices. These institutional factors are considered in the IS literature as well. For instance, Munir (2002) discussed the normative and cognitive factors within the technology transfer context. He defined three aspects of technology transfer: choosing the right technology, developing managerial and technical expertise, and accommodating technology into the organization. From the security policies and MNC perspective, the last aspect carries more weight. In most cases, security policies are supported with technological infrastructure such as use of firewalls, intrusion detection systems, etc. The normative influences will require managerial control when more knowledge-intensive technology is being imported to environments characterized by less knowledge-intensive technology since complex technologies tend to conflict with existing management practices (Munir, 2002; Hansen et al., 1999). Overall, security policies have to fit to the existing institutional character of the organizations in order to be successfully enforced. Since security policies outline several practices such as disciplining computer abusers, participation to formal training and awareness programs, regular third party audits and several new hardware and software implementations (Barman, 2002; Siponnen, 2000; Thomson and von Solms, 1998), a misfit between subsidiaries regulatory environment and requirements of the parent company s security policies will be problematic. Similar to these arguments, Hu et al. (2007) reported the effect of all three institutional forces on the initiatives to implement information systems security practices and protocols in a MNC. This leads to our next proposition; P2: High institutional distance between the parent company and its subsidiaries will have a negative effect on the process of enforcing information security policies to the subsidiary companies. 2.3 Stickiness and Knowledge Transfer Process During the knowledge transfer, parent companies recreate the complex and ambiguous routines in new settings. Szulanski (1996) argues that stickiness of organizational practices increases the difficulties of the transfer process. Prior research suggests four issues as important factors that contribute to the difficulty of knowledge transfer; characteristics of the knowledge transferred, characteristics of the source, characteristics of the recipient, and characteristics of the context (Szulanski, 1996). After studying 122 knowledge transfers with respect to these four characteristics, Szulanski (1996) concluded that the origins of stickiness are the lack of absorptive capacity of the recipient, causal ambiguity, and the arduous relationship between the source and the recipient. In their study, Ko et al. (2005) investigated the antecedents of knowledge transfer from consultants to clients in enterprise system implementations. The data were gathered from 96 enterprise resource planning projects including 80 client organizations and 38 consulting firms. The antecedents were grouped into three factors: communication, knowledge and motivational. Their results were also parallel to Szulanski s findings. Additional to knowledge factors such as arduous relationship, absorptive capacity and shared understanding, Ko et al. (2005) found that direct effects of both

8 source s and recipient s intrinsic motivations, source credibility and indirect effects of communication encoding and decoding competence are also important determinants of the knowledge transfer. Current understanding of transfer process suggests four stages: initiation, implementation, ramp-up and integration. Szulanski (2000) posits that organizations experience different types of stickiness in each stage. His findings show that motivation and perceived reliability are important factors during the first three stages, and absorptive capacity and causal ambiguity are important predictors of stickiness when all the stages are put together and the knowledge transfer is considered as a whole. In the context of information security, the effect of stickiness will be most visible on the technological requirements of security policies. Configurations of hardware and software programs for large scale networks require advanced knowledge and experience. This type of knowledge is considered tacit and therefore hard to document, replicate or transfer. Moreover, slightly different configurations of computers may prevent adaptation of the same solution in different computer networks. Considering this local solution issue and the tacitness of information security context, transferring security policies from one organization to another would be considered as sticky. This leads to our last proposition. P3: The stickiness of the information security practices will have a negative effect on the process of enforcing information security policies to the subsidiary companies. 3 Discussion While information security and globalization can be considered as two sides of the same coin, the lack of cross-cultural studies in the information security literature is worrisome. Our goal is to provide a framework as a starting point to fulfil this important gap. This study focuses on the cultural and institutional differences of MNCs and their subsidiaries and outlines how these differences affect the MNCs strategy to enforce information security policies to their subsidiaries in different cultural settings. Regarding the cultural differences, we proposed that high cultural distance will have a negative effect on the process of enforcing security policies to the subsidiaries. Parallel to this, we also proposed that differences in national economy and high institutional distance will have negative effects on this process as well. Lastly, we proposed that the stickiness of the IS security context will have an inherited detrimental effect on the efforts of enforcing these policies. The practical implications of the study are also vital. For instance, neglecting the cultural and institutional differences may result in loss of resources, high employee turnover, and even increased security breaches. Moreover, if it is not executed properly, the transfer of such policies may increase the dual pressure on the subsidiary, which in return may hinder their performance. Table 1 outlines these factors and how they relate to MNCs efforts in enforcing information security policies to their subsidiaries. One limitation of the study is the fact that the business context of the MNC may affect the salience of the information security policies. Companies in certain industries may need more security than others to protect their company specific information such as patents, source codes, manufacturing processes, etc. On the other hand, this study opens many directions for future research. One direction can be the investigation of the subsidiary absorptive capacity. As discussed above, Szulanski (1996) posits that the lack of absorptive capacity is one of the most important impediments to knowledge transfer. Minbaeva et al. (2003) also found significant relation between the absorptive capacity of the subsidiary and the knowledge transfer within the MNC. Future studies can consider either controlling the effect of subsidiary s capacity or including the effects of capacity into the context.

9 Cultural factors Power distance Uncertainty avoidance Masculinity/Femininity Sample requirements from information security policies Access control to certain files Regular security audits Use of anti-virus software Individualism/Collectivism Use of computer monitoring National economy Institutional factors Regulative Normative Cognitive Stickiness Implementation of advanced hardware or software Certain level of encryption required for storing confidential information Security certification Skilled employee Security of wireless infrastructure Potential issues In high power distance cultures, it is harder for IT employees to limit managers rights. Subsidiaries that are in low uncertainty cultures can have harder time to comply with rigid requirements of the parent company. Adoption of performance hindering software can be problematic in high masculinity cultures due to their focus on career advancement. Monitoring employee behavior can result in negative effect on employee morale, satisfaction, and performance in subsidiaries that reside in individualistic cultures. Availability of hardware and localization of software can be limited for subsidiaries that reside in developing or undeveloped countries. Countries of the subsidiaries can lack the regulations that exist in the parent company s country. Lack of availability of certain certifications or institutions in subsidiaries countries can limit subsidiaries to conform with normative factors. Lack of education in computer science and related fields in the subsidiaries country can limit the efforts to comply with the requirements of the security policy. Designing a secure and reliable wireless network requires unique considerations such as interference from the environment, size and shape of the buildings, etc. Due to these localized differences, achieving success using the same solution can be limited. Table 1. Factors that affect MNCs efforts in enforcing information security policies to their subsidiary companies. Another opportunity to take this study one step further is to investigate the effect of the MNC s structure. Barlett and Ghosahal s (1999) work introduced four different models of MNC: multinational, international, global and transnational. Each model has different configuration of assets and capabilities, role of foreign subunits, and development and diffusion of knowledge (Kostova and Roth, 2003). Therefore, the effectiveness of enforcing information security policies can be contingent

10 on the different characteristics of these four configuration models. In order to test the propositions and conduct the suggested future studies, a case study can be conducted to a multinational company with subsidiaries in different cultural, economical, and institutional settings. References Abdul-Gader, A.H. (1997). Information systems strategies for multinational companies in Arab Gulf countries. International Journal of Information Management, 17(1), Anakwe, U.P., Igbaria, M. and Anandarajan, M. (2000). Management practices across cultures: Role of support in technology usage. Journal of International Business Studies, 31(4), Bace, R.G. (2002). Vulnerability assessment and intrusion detection systems. In S. Bosworth and M. E. Kabay (Eds.), Computer Security Handbook. 4th ed. New York: John Wiley & Sons, Inc. Bartlett, C.A. and Ghoshal, S. (1989). Managing Across Borders: The Transnational Solution. Boston: Harvard Business School Press. Barman, S. (2002). Writing Information Security Policies. Indianapolis: New Riders. Busenitz, L.W., Gomez, C. and Spencer, J.W. (2000). Country institutional profiles: Unlocking entrepreneurial phenomena. Academy of Management Journal, 43(5), Brussin, D. (2002). Firewall and proxy servers. In S. Bosworth and M. E. Kabay (Eds.), Computer Security Handbook. 4th ed. New York: John Wiley & Sons, Inc. Checchi, R.M., Po-An Hsieh, J.J. and Straub, D.W. (2003). Public IT policies in less developed countries: A critical assessment of the literature and a reference fframework. Journal of Global Information Technology Management, 6(4), Cobb, C. (2002). Antivirus technology. In S. Bosworth and M. E. Kabay (Eds.), Computer Security Handbook. 4th ed. New York: John Wiley & Sons, Inc. Dewan, S., Ganley, S. and Kraemer, K.L. (2004). Across the digital divide: A cross-country analysis of the determinants of IT penetration. Personal Computing Industry Center, UC Irvine. Dhillon, G. (1999). Managing and controlling computer misuse. Information Management & Computer Security, 7(4), 171. Ehikhamenor, F.A. (2002). Socio-economic factors in the application of information and communication technologies in Nigerian print media. Journal of the American Society for Information Science and Technology, 53(7), Ford, D.P., Connelly, C.E. and Meister, D.B. (2003). Information systems research and Hofstede s Culture s Consequences: An uneasy and incomplete partnership. IEEE Transactions on Engineering Management, 50(1), Giacobbe-Miller, J.K., Miller, D.J., Zhang, W. and Victorov, V.I. (2003). Country and organizationallevel adaptation to foreign workplace ideologies: a comparative study of distributive justice values in China, Russia and the United States. Journal of International Business Studies, 34, Gomez, C. and Werner, S. (2004). The effect of institutional and strategic forces on management style in subsidiaries of U.S. MNCs in Mexico. Journal of Business Research, 57(10), Gordon, L.A., Loeb, M.P., Lucyshyn, W. and Richardson, R. (2004) CSI/FBI Computer Crime and Security Survey. Hansen, M., Nohria, N. and Tierney, T. (1999). What s your strategy for managing knowledge? Harvard Business Review, Hofstede, G. (1980). Culture's Consequences: International Differences in Work Related Values. Beverly Hills, CA: Sage. Hofstede, G. (1997). Cultures and Organizations: Software of the Mind. New York: McGraw Hill. Hofstede, G. (2001). Culture's Consequences: International Differences in Work Related Values. 2nd ed. Thousand Oaks, Ca: Sage. Hofstede, G. and Peterson, M.F. (2000). National culture and organization culture. In N. Ashkanasy, C. Wilderom, and M. F. Peterson (Eds.), Handbook of Organizational Culture and Climate: Thousan Oaks, CA: Sage.

11 Hu, Q., Hart, P. and Cooke, D. (2007). The role of external and internal influences on information systems security A neo-institutional perspective. Journal of Strategic Information Systems, 16, Igbaria, M. (1992). An examination of microcomputer usage in Taiwan. Information and Management, 22, Igbaria, M., Tor, G. and Gordon, B.D. (1995). Testing the determinants of microcomputer usage via a structural equation model. Journal of Management Information Systems, 13(1), Jensen, R. and Szulanski, G. (2004). Stickiness and the adaptation of organizational practices in crossborder knowledge transfers. Journal of International Business Studies, 35(6), Kabay, M.E. (2002). Developing security policies. In S. Bosworth and M. E. Kabay (Eds.), Computer Security Handbook. 4th ed. New York: John Wiley & Sons, Inc. Ko, D., Kirsch, L.J. and King, W.R. (2005). Antecedents of knowledge transfer from consultants to clients in enterprise system implementations. MIS Quarterly, 29(1), Kogut, B. and Singh, H. (1988). The effect of national culture on the choice of entry mode. Journal of International Business Studies, 19(3), Kostova, T. (1996). Success of the transnational transfer of organizational practices within multinational companies. University of Minnesota, Minneapolis. Kostova, T. (1999). Transnational transfer of strategic organizational practices: A contextual perspective. Academy of Management Review, 24(2), Kostova, T. and Roth, K. (2002). Adoption of an organizational practice by subsidiaries of multiniational corporations: institutional and relational effects. Academy of Management Journal, 45(1), Kostova, T. and Roth, K. (2003). Social capital in multinational corporations and a micro-macro model of its formulation. Academy of Management Review, 28(2), Kostova, T. and Zaheer, S. (1999). Organizational legitimacy under conditions of complexity: The case of the multinational enterprise. Academy of Management Review, 24(1), Levine, D. E. (2002). Monitoring and control systems. In S. Bosworth, & M. E. Kabay (Eds.), Computer Security Handbook. 4th ed. New York: John Wiley & Sons, Inc. Liu, W. (2004). The cross-national transfer of HRM practices in MNCs: An integrative research model. International Journal of Manpower, 25(6), Minbaeva, D., Pederson, T., Bjorkman, I., Fey, C.F. and Park, H.J MNC knowledge transfer, subsidiary absorptive capacity, and HRM. Journal of International Business Studies, 34, Munir, K.A. (2002). Being different: How normative and cognitive aspects of institutional environments influence technology transfer. Human Relations, 55(12), Pavlia, P.C. (1998). Research issues in global information technology management. Information Resource Management Journal, 11(2), Rosenzweig, P.M. and Singh, J.V. (1991). Organizational environments and the multinational enterprise. Academy of Management Review, 16(2), Sandhu, R. (2002). Identification and authentication. In S. Bosworth, & M.E. Kabay (Eds.), Computer Security Handbook. 4th ed. New York: John Wiley & Sons, Inc. Scott, W.R. (1995). Institutions and Organizations. Thousand Oaks; CA: SAGE. Shenkar, O. (2001). Cultural Distance Revisited: Towards a more rigorous conceptualization and measurement of cultural differences. Journal of International Business Studies, 32(3), Siponen, M.T. (2000). Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice. Information Management & Computer Security, 8(5), Sirmon, D.G. and Lane, P.J. (2004). A model of cultural differences and international alliance performance. Journal of International Business Studies, 35(5), Straub, D., Keil, M. and Brenner, W. (1997). Testing the technology acceptance model across cultures: A three country study. Information and Management, 33, Straub, D.W. and Welke, J.R. (1998). Coping with systems risk: Security planning models for management decision making. MIS Quarterly, 22(4), 441.

12 Szulanski, G. (1996). Exploring internal stickiness: Impediments to the transfer of best practice within the firm. Strategic Management Journal, 17, Szulanski, G. (2000). The Process of Knowledge Transfer: A diachronic analysis of stickiness. Organizational Behavior and Human Decision Processes, 82(2), Thompson, M.E. and von Solms, B. (1998). Information security awareness: Educating our users effectively. Information Management & Computer Security, 6(4), Wakefield, R.L. (2004). Network security and password policies. The CPA Journal, 74(7), 6. Westney, D.E. (1993). Institutionalization Theory and the Multinational Corporation. New York: St. Martin's Press. Whitman, M.E. (2004). In defense of the realm: Understanding the threats to information security. International Journal of Information Management, 24, Xu, D. and Shenkar, O. (2002). Institutional distance and the multinational enterprise. Academy of Management Review, 27(4),