One Size Does Not Fit All: Different Cultures Require Different Information Systems Security Interventions

Employees’ non-compliance with information systems (IS) security policies is a key concern for organizations. Previous studies have proposed different explanations for employees’ behavior, such as the use of sanctions and monitoring, fear appeal and training, which represent different paradigms of learning. Previous works do not test the validity of their models or methods across different cultural settings. Based on interviews in four countries, we argue that while information security behaviors are learned, different paradigms of learning are effective in different cultures; i.e., different cultures require different IS security interventions. What is even more important is that by providing non-preferred IS security interventions (e.g., monitoring/sanctions in Switzerland) were negative for improving information security. This study has implications for IS security research, editors, and practitioners. For scholars, we urge them to not only validate, but also test their models in different countries. The implication for editors is the need to re-consider their reviewing policy and accept papers that also show the limits of their model (not positive results) in some countries. From a managerial perspective, our findings suggest that different cultures require different IS security interventions.