A Cross-Cultural Analysis of Security Countermeasure Effectiveness

Anat Hovav Korea University Business School anatzh@korea.ac.kr John DArcy University of Notre Dame jdarcy1@nd.edu Kyoungho Lee Consulting House Inc klee@consultinghouse.net

Abstract Industry surveys suggest that a substantial proportion of computer security incidents are due to the intentional actions of legitimate users. Consequences of insider misuse of IS resources (i.e., IS misuse) include financial losses, negative publicity, loss of competitive disadvantage, and loss of customer confidence. Research suggests that users awareness of security countermeasures such as security policies, security education, training, and awareness (SETA) programs, and computer monitoring can deter IS misuse by increasing the perceived certainty and severity of punishment for such behavior. However, current information security research assumes that this deterrent effect is uniform across countries and cultures. In this study, we examine whether certain country-related characteristics as defined by Hofstede (1980, 2001) impact the deterrent capabilities of security policies, SETA programs, and computer monitoring. Using samples of computer-using professional from the United States and South Korea, we find evidence that the deterrent effect of certain security countermeasures varies across the two countries. Keywords: Deterrence theory, information security management, cross cultural, South Korea Introduction It is acknowledged within the information security research community that insiders represent one of the most significant threats to the security of organizational information assets. In this study, we define an insider as a person that has legitimately been given the capability of accessing one or many components of the IT infrastructure (Magklaras et al. 2006, p. 362). The insider threat is evidenced in recent surveys that report between one-half and three-quarters of all security incidents originate from within the organization, with a substantial proportion due to the intentional actions of legitimate users (Ernst and Young 2003; InformationWeek 2005). Considering that a large percentage of security breaches go undetected, it is likely that these figures underestimate the actual level of insider information systems (IS) misuse.

Information security specialists recommend a combination a procedural and technical countermeasures for combating IS misuse. Procedural countermeasures include security policy statements, acceptable usage guidelines, and security education, training, and awareness (SETA) programs. Technical countermeasures include authentication technologies and filtering and monitoring software. Following Straub (1990), we use the term security countermeasures to collectively describe these procedural and technical controls. Based on the predictions of general deterrence theory (GDT), the above countermeasures can serve as deterrence mechanisms in that users will perceive a greater threat of getting caught and punished for IS misuse, and therefore will be less likely to engage in such behavior (DArcy and Hovav 2007a; DArcy, Hovav, and Galletta Forthcoming). A number of studies have used GDT as a theoretical perspective in examining the effectiveness of various security countermeasures. This research includes empirical investigations of the relationships between security countermeasures and aggregate misuse levels (Kankanhalli et al. 2003; Straub 1990; Wiant 2003), as well as the impact of security countermeasures on specific misuse behaviors such as software piracy, modifying, stealing, or destroying data, and computer sabotage (e.g., DArcy and Hovav 2007a; DArcy and Hovav 2007b; Foltz 2000; Gopal and Sanders 1997; Harrington 1996; Lee et al. 2004). With the exception of Lee et al. (2004), all studies were conducted in the U.S., using samples of organizations and users from Western culture. Considering the global nature of many large organizations, security managers must deal with users that reside in various countries. Hence, it is important to understand if the theories used and the countermeasures developed in Western countries are as effective in other cultures. Hofstede (1980, 1983) suggests four dimensions that differentiate countries and cultures and thus affect the behavior of employees from different cultural backgrounds. These four dimensions are: individualism versus collectivism; power distance; high versus low uncertainty avoidance; and feminism versus masculinity. According to Hofstede (1983), these dimensions affect management theories related to leadership, motivation, and organizational structure. The purpose of the current study is to investigate whether cultural differences moderate the influence of security countermeasures on IS misuse. Specifically, we compare the deterrent effectiveness of security policies, SETA program, and computer monitoring across Eastern and Western cultures using samples of computer using professionals from the U.S. and South Korea. Five Dimensions of Cultural Differences The discussion below is largely based on Hofstedes book Cultures Consequences which was first published in 1980 and included the four dimensions mentioned above. A second edition was published in 2001 and included a fifth dimension Long Term Orientation. Power Distance Power distance (PDI) is rooted in social inequity. Social inequity exists in all societies to some extent. However, some societies accept inequities as a given while other societies regard inequities as unacceptable, people from all walks of life should have equal opportunities and that no one is above the law. In countries with high PDI employees rarely disagree with their

supervisors, subordinated do not question their bosses decisions, people are generally more submissive and conforming, workers expect detailed instructions, and rely on formal rules. Workers in high PDI countries also exhibit high loyalty to their superiors and will act unethically if so ordered by their managers. Leadership in low PDI countries is more participatory and consultive while managers in high PDI countries exhibit more authoritarian style. However, managers in high PDI countries are often considered paternal and are more concerned with the employees advancement. Employees in low PDI countries have recourse when managers abuse their power while employees in high PDI countries do not. Uncertainty Avoidance Uncertainty is part of everydays life. Much like inequity, it is a given and an integral part of every individual or social structure. Individuals, organizations and societies build structures that aim to reduce their levels of uncertainty (such as rules, laws, religions, and technology). Much like power distance, some cultures accept the existence of uncertainty while others try to avoid it. Cultures with high uncertainty avoidance have lower tolerance for things that are different. Thus cultures with high uncertainty avoidance index (UAI) create more ways to defend themselves against uncertainty and have more rules, structures, traditions and resistance to change. Organizations in high UAI cultures tend to create standard operating procedures (SOPs) to reduce uncertainty, such as organizational rituals and traditions. This need for formalization also materializes in employees need for formal training. One of the measurements for the UA index has to do with compliance with organizational rules. Employees in a high UAI will not break company rules even if it is to the benefit of the organization. Employees in low UAI are much less likely than employees in high UAI societies to follow the company rules if they believe that they are unethical or damaging. In addition, employees in high UAI are more concerned with the stability of the company and with security. Countries with high UAI have more formal laws but that does not necessarily mean that the law is respected or considered just. Hofstede (2001) also cautions that uncertainty avoidance should not be equated with risk avoidance. Countries with high UAI and high PDI will have a large number of rules and policies and they are more likely to comply with these laws if their managers order them to do so. Individualism versus Collectivism Much like the other two dimensions, collectivism exists in every society. Humans are social creatures and live in social structures. However, the level of gregariousness varies among cultures. In Chinese culture the concept of an individual personality is non-existent because a distinct entity separate from society (or a sub-group in the society) does not exist. In cultures with low IND (high collectivism), the good of the group overcomes the needs or the good of the individual, leading to high loyalty to the group. While in individualist societies the welfare of the individual supercedes the welfare of the group, in high IND cultures people are driven by guilt, while in collectivist societies people are driven by shame. The concept of shame is social in nature and affects not only the individual but its group. Shame depends on the discovery of the unacceptable deed and not on the act itself. If the objectionable deed was not discovered, there is

no shame. This concept is very different from Western idea of guilt which is internal and people often are described as feeling guilty even when their crimes were not discovered. The concept of shame also relates to the concept of saving face. Saving face is important in collective societies and people are expected to redeem themselves and their families (or group, organization, clan, tribe) if they caused them to lose face. Collective societies also rely on unwritten rules that are often unknown to outsiders but assumed as a given by the in-group. In-groups also rely on self-monitoring. Monitoring is an acceptable concept and privacy is often invaded by the organization. Interestingly, one of the questions used to compose the IND index has to do with formal training. Employees in collective societies are more interested in training (average score for Koreans was 619, while the average score for Americans was 475) and place much emphasis on schooling and formal education. However, it is likely that workers in high collectivistic societies will be more accepting of training and education from members of their in-group than from members of an out-group. In high PDI and low IND societies, the relationships between an employee and its work-place (manager) are that of a family (parent). Therefore, employees are not accepted to be terminated for misconduct or bad performance. In such societies, the concept of individual responsibility (for a good or a bad deed) is much weaker than in an individualistic society. Masculine versus Feminine Gender duality is also a universal given. Males and females are regarded differently in most societies. However, the perceived role of each can vary by culture and is based on historical events and the cultural development of each society. The terms masculinity and femininity relate to acceptable social behaviors and to the general differences between the genders such as assertiveness versus nurturing, social versus ego, and cooperation versus advancement in the workplace. In high masculine societies the differences between gender roles are greater than in low masculine societies. The rest of the differences measured by Hofstede are related to work goals and have little relevance to our study. Long versus Short Term Orientation A fifth dimension was later added based on a study by Michael Harris Bond and is rooted in Confucian thinking. It was first measured for a number of Asian countries and later expanded to several European countries. Confucian thinking deals with pure ethics and social behavior without any religious context. This is contradictory to most Western philosophy where ethical behavior is connected to a supreme being. Thus, in Easter cultures ethical behavior is within and individuals rely on themselves to maintain their humanity rather than on an external, eternal force. Some of the key elements in Confucius thinking are: maintaining harmony (family, workplace, society); maintaining ones dignity; respecting others (i.e., do not do to others as you do not want done to you); thrift and moderation; and education.

Although the basis of the index is rooted in Confucius philosophy, it is termed LTO (long-term orientation) because some of its components deal with perseverance and long-term goals versus quick gratification and short-term views. For example, in Western countries, organizations and managers are evaluated based on short-term objectives such as the bottom line for the year or the companys market value for the quarter, while companies in Japan take a more long-term approach of expansion, survivability, and sustainability. Countries with high LTO will exhibit higher work ethics. However, as mentioned above, Confucius thinking has little regard to formal laws. In addition, if certain controls (such as security countermeasures) reduce organizational harmony or interfere with daily tasks, they may be ignored. Research Model and Hypotheses The studys research model is based on an earlier GDT-based model that was tested by DArcy, and Hovav 2007a using a sample of U.S. employees. The model posits that user awareness of security policies, SETA program, and computer monitoring have a direct effect on IS misuse intention, after controlling for age and gender. Our contention is that the model will behave differently for users in South Korea versus users from the U.S. While prior research measured general information security awareness of users (Hue and Dinev 2005; Dinev and Hue 2007), this study measures the extent to which users are aware of the existence of countermeasures in their respective organizations and the impact of this awareness on their intentions to misuse computer resources. According to Hofstedes (2001) scales, South Korean (KOR) and U.S. cultures differ on all five dimensions. While employees in the U.S. scored extremely high on individualism, KOR scored very high on collectivism. Similarly, U.S. scored very high on low power distance; that is, the power distance between managers and employees is very low. Conversely, KOR scored high on a large power distance, meaning that the distance between employees and their supervisor is large; U.S. scored low on uncertainty avoidance (i.e., Americans have higher acceptance of uncertainty, or of things that are different.) while KOR scored high on uncertainty avoidance (i.e., South Koreans build more structures that help defend against uncertainty such as traditions, rules, standard, and procedures). Finally, U.S. scored high on masculinity and short-term orientation while KOR scored high on feminism and long-term orientation. These differences (summarized in Table 1) are used to develop the research hypotheses in the following sections.
Table 1. Summary score on the five cultural dimensions U.S. vs. South Korea (KOR)

Individualism U.S. KOR H=91 L=18

Power Distance L= 40 H=60

Uncertainty Avoidance L=46 H=85

Masculine /Feminine M=62 F=39

Long/Short Term Short=29 Long=75

We use Hofstedes typology of cultural dimensions since it has been validated in prior crosscultural studies over time and in dozens of countries (Sondergaard 1995). For example, Kim, Park and Suzuki (1990) used the individualism index and the measure of masculinity to assess the differences in rewards allocations between the U.S., Japan and KOR and found these measures to support their hypotheses. Similarly, Christie et al. (2003) found support for these indices, as well as power distance, in their cross-cultural analysis that included KOR. Christie et. als (2003) study of unethical behavior supports the use of individualism, power distance and to 5

some extent masculinity. Rhee (2002) found that participants were less collectivistic than in Hofstedes (1991) study. His data showed that individualism and collectivism were valued equally. Similar patterns were found for masculinity and femininity. However, despite the change, Koreans score on collectivisms and feminism values were higher than the scores attributed to the U.S. As to the rest of the dimensions in Rhees study, power distance was slightly lower (56 instead of 60) and uncertainty avoidance was slightly higher than Hofstedes scores, and the Confucius dynamism data indicated somewhat lower score than in Hofstede (1991) study. Yet, participants valued long-term characteristics (e.g., ordering relationships by status, observing order) as more important than short-term characteristics. IS Misuse Intention IS misuse intention is defined as an individuals intention to perform a behavior that is identified by the organization as a misuse of IS resources (Magklaras and Furnell 2006). The domain of IS misuse is quite varied, ranging from behaviors that are unethical and/or inappropriate (e.g., inappropriate use of e-mail) to those that are illegal (e.g., modifying company information). For purposes of this study we take an aggregate approach and utilize a composite scale that measures general IS misuse intentions (INT) across a variety of behaviors. Given the cultural differences discussed above, it is likely that misuse intentions in KOR are driven less by the letter of the law and more by internal sense of dignity, saving face and ethical behavior. The loyalty of KOR employees to their company and managers, and the concept of a tribe or an in-group is uncommon in individualistic societies such as the U.S. Particularly, KOR employees spend a relatively larger number of hours at work or in work related activities compared to U.S. employees (the average worker in the U.S. works approximately 1,800 a year while the average KOR worker works approximately 2,200 a year1). Thus, in KOR users strongly identify with their workplace and are likely to exhibit higher loyalty. Maintaining a harmonious work environment is also important (high LTO and low IND). Therefore, if users believe that IS misuse can cause disharmony, they will be reluctant to engage in such behavior. Hence, we anticipate that IS misuse intentions will be lower in KOR than in the U.S. H1: INT will be lower among KOR users compared to U.S. users. Security Policies, SETA Program, and Computer Monitoring Uncertainty avoidance (UAI) in KOR is high. Therefore, on average, companies in KOR are more likely to have formal rules and laws. Further, due to the high PDI in KOR, managers are revered and employees are likely to follow policies that are dictated to them by their supervisors (even if employees believe these policies may be unethical or damaging to the company). In contrast, employees in the U.S. have a lower UAI and lower PDI and therefore are more likely to ignore certain organizational policies. From a deterrence perspective, security policies rely on the same underlying mechanism as societal laws in that they provide knowledge of what constitutes unacceptable conduct, thereby increasing the perceived threat of punishment for illicit behavior (Lee and Lee 2002).Hence, we hypothesize the following: H2: Security policies will have a stronger negative influence on INT in KOR than in the U.S.
1

http://www.cnn.com/2007/BUSINESS/09/02/un.productivity.ap/index.html [accessed 9/17/2007]

A major driver of the KOR culture is educating and mentoring (high LTO and high PDI). Although, there is a large power distance between managers and subordinates, the relationship is often paternal. Managers are considered mentors. They provide their subordinates with help, training, and guidance. Thus the idea of training and education is central to KOR culture regardless of whether it is a formal training session or informal guidance. SETA programs are a form of organizational education/training that focus on raising employee awareness of their computer security responsibilities as well as emphasizing recent actions against employees for security policy violations (Straub and Welke 1998; Wybo and Straub 1989). A SETA program is an ongoing effort that might include a combination of security awareness e-mails and newsletters, briefings on the consequences of IS misuse, and periodic security refresher courses (von Solms and von Solms 2004). Given the strong emphasis on education and training in KOR culture, it is likely that KOR employees will be more receptive to the deterrent message conveyed through SETA programs than U.S. employees. Hence, we hypothesize the following: H3: SETA programs will have a stronger negative influence on INT in KOR than in the U.S. The centralization of power (high PDI), the idea of collectivism (low IND), and Confucius teaching (high LTO) in KOR introduce the concepts of dignity, honor, shame, and saving face which together drive ethical behavior. According to Hofstede, lose of face only occurs when the misdeed is discovered. Since people are expected to redeem themselves, their family, or the organization they work for, the idea of getting caught is expected to be a very strong demotivator in KOR. In contrast, the concept of getting caught and losing face is not as strong an issue in U.S. culture. Computer monitoring is an active security countermeasure that increases the organizations ability to detect many types of IS misuse. Considering that getting caught and losing face is extremely undesirable in the KOR culture, we assume that computer monitoring will have a stronger deterrent effect for KOR employees than for U.S. employees. Hence, the following hypothesis: H4: Monitoring will have a stronger negative influence on INT in KOR than in the U.S. Methodology The Survey A survey instrument was used for data collection. The survey consisted of five scenarios that depicted the following IS misuse behaviors: password sharing, inappropriate use of e-mail, software piracy, unauthorized access to company data, and unauthorized modification of company data. Following each scenario, respondents were asked two questions (INT1 and INT2) that assessed the likelihood that they would engage in the scenario behavior in the own workplace. A composite IS misuse intention (INT) score was created by summing the responses across the five scenarios2. The survey also contained items that assessed user awareness of the security countermeasures as well as demographic items (see DArcy and Hovav 2007b for
INT1 = = INT1(scenario1) + INT1(scenario2) + INT1(scenario3) + INT1(scenario4) + INT1 (scenario5); INT2 = INT2(scenario1) + INT2(scenario2) + INT2(scenario3) + INT2(scenario4) + INT2 (scenario5). The composite values for items INT1 and INT2 were then used in the PLS analysis.
2

detailed survey development). The survey was translated by a bi-lingual expert in information security management and risk assessment for the South Korean respondents. Sample For the U.S. sample, survey responses were collected from two groups of participants: employed professionals taking evening MBA classes at two mid-Atlantic U.S. universities and employees in eight organizations located across the U.S. A total of 238 usable responses were obtained from the MBA students and 269 usable responses from the company employees. Results and the instrument validation and hypotheses testing were largely consistent across the two sample groups and therefore the data were pooled (n=507) to facilitate brevity of results reporting. The combined sample consisted of almost two-thirds (65%) males, and about half of respondents (50%) were in the 25-34 age group. Respondents held managerial (25%), technical (30%), professional (39%), and administrative (6%) positions and worked in various industries including manufacturing (32%), finance/insurance (22%), software (17%), healthcare (10%), advertising/marketing (7%) education (6%), and retail (6%). Company size ranged from small to large, with a sizable portion (44%) having 10,000 or more employees. For the South Korean sample, survey responses were collected from employed, part-time evening MBA students taking classes at a large university in Seoul, South Korea and from employees in two medium-sized companies also in Seoul. A total of 64 usable responses were obtained from the MBA students and 73 from the company employees. As with the U.S. sample, the MBA and company responses were combined. The combined sample consisted of threequarters (75%) males, and about 60% of respondents were in the 25-34 age group. Respondents held managerial (35%), technical (26%), professional (26%), and administrative (13%) positions and worked in various industries. Company also ranged from small to large, with a sizable portion (67%) having less than 1,000 employees. Analysis and Results Partial least squares (PLS-Graph 3.00) was used to analyze the data. The main reason for selecting PLS was because it does not impose normality requirements on the data (Chin 1998). Formal tests revealed that some of our measures were not normally distributed. Following recommended two-stage procedures (Anderson and Gerbing 1988), we assessed the measurement model first, followed by the structural relationships. Standard tests of convergent validity, discriminant validity, and reliability indicated that our measures possessed adequate psychometric qualities. These tests are detailed in DArcy and Hovav (2007b). Before examining the structural relationships, we tested H1 by comparing the mean of INT for the U.S. and KOR samples. The mean INT was 12.11 for the U.S. sample and 14.203 for the KOR sample, and an independent samples t-test showed that this difference is significant (p<.001). Thus, H1 is supported. To test H2, H3, and H4 we ran separate PLS structural models for each group (U.S. and KOR). Results of the PLS runs are shown in Figures 1 and 2.

Note again that INT is a composite of the five scenarios and therefore the scoring range is from 5 to 35.

South Korean (KOR) Sample (n=137) Security Policies -.018 User Awareness of .169** SETA Program -.229* IS Misuse Intention R2 = .10 -.080 Computer Monitoring Notes: (1) Paths in dash are not significant (p> .10) .069 Gender Age

*p < .05 **p < .01 ***p <.001

Figure 1. PLS Structural Model for KOR Sample

United States (U.S.) Sample (n=507) Security Policies -.267** User Awareness of -.224*** SETA Program -.145** IS Misuse Intention R2 = .20 .083 Computer Monitoring Notes: (1) Paths in dash are not significant (p> .10) .083 Gender Age

*p < .05 **p < .01 ***p <.001

Figure 2. PLS Structural Model for U.S. Sample

As shown in figures 1 and 2, both user awareness of SETA program and computer monitoring have a stronger negative relationship with INT for the KOR sample compared to the U.S. sample. Statistical tests using the approach suggested by Keil et al. (2000) showed that the differences in the SETA program to INT and computer monitoring to INT path coefficients from the two groups were significant at the 0.05 and 0.10 levels, respectively. Hence, there is support for H3 and H4. The results in figure 1 and 2 also show that user awareness of security policies has a stronger negative relationship with INT for the U.S. sample. This is opposite to our prediction and therefore H2 is not supported. Discussion The purpose of this study was to examine whether cultural differences moderate the influence of security policies, SETA program, and computer monitoring on IS misuse intention. Using 9

independent samples of computer-using professionals from the U.S. and South Korea, we found some evidence that the deterrent effectiveness of security countermeasures differs between the two countries. However, our results were not exactly as predicted by Hofstedes cultural dimensions. Contrary to our predictions, the results suggest that the deterrent effect of security policies is stronger for U.S. employees compared to KOR employees. A possible reason for this is that U.S. employees are more exposed to security policies due to the increasing number of U.S. laws and regulations that pertain to information security. Another plausible explanation involves the mechanism through which security policies achieve deterrence. Research by DArcy et al. (2007) suggests that the influence of security policies on IS misuse is indirect through perceived severity of sanctions. South Korean culture places less regard on formal laws and policies and more on respect and dignity, whereas Western cultures (low LTO) are more influenced by short term repercussion such as a punishment. Therefore, while in KOR the mere idea of getting caught may be enough to deter misuse behavior (while the extent of the actual punishment is less relevant because the shame of being caught is more traumatic than any formal punishment), in the U.S. the extent of the punishment is likely the key deterrent while the idea of getting caught secondary (i.e., if I cant get caught, I will not be punished).Given that security policies achieve deterrence by increasing perceived punishment severity, they are more likely to be effective on U.S. employees. Our results also suggest that SETA programs have a stronger deterrent influence on IS misuse for KOR employees compared to U.S. employees. This was expected considering that education and training is a central aspect of the KOR culture. However, the results showed a significant negative influence of SETA programs in both samples, suggesting that SETA programs are effective deterrent mechanisms across cultures. This is a key finding for security managers considering the global nature of many organizations. It should also be noted that the lesser influence of security policies in the KOR sample does not diminish the significance of this countermeasure in KOR organizations. Security policies are the foundation of many SETA programs and are used a primary training tool for several aspects of the SETA program (Peltier 2005). Hence, an effective SETA program is somewhat dependent on the existence of security policies. Our results do, however, suggest that security policies alone are not as effective in deterring IS misuse among KOR employees compared to U.S. employees. The results also suggest that computer monitoring is a more effective deterrent in KOR compared to the U.S. However, computer monitoring did not have a significant relationship with IS misuse intention in either sample, so these results have limited practical value. The nonsignificance of computer monitoring may be because employees do not equate monitoring with being caught. Anecdotal evidence suggests that while employees are aware that their computing activities are being monitored and recorded, they do not believe that IT personnel are reviewing these logs on a regular basis. It is also possible that even if users feel that monitoring increases their chances of getting caught, they doubt the punishment will be severe since convicted computer abusers have historically received light punishments and have even been hired as consultants (Lee and Lee 2002). For now, these explanations are speculative and only future research can determine their plausibility.

10

In terms of the control variables, the results suggest that the impact of age on IS misuse intention differs between the two countries: for the U.S. sample, older employees are less likely to engage in IS misuse while for KOR sample older people are more likely to engage in misuse. This might be due to the high PDI index for KOR. In high PDI cultures, older employees (often termed seniors) feel that they have more privileges and are above the law. Thus they are more inclined to engage in some IS misuse behavior. Finally, there are two significant cautions that should be applied to any interpretation or use of Hofstede's work. First, the values expressed are particularly those of the middle class standardization of the country samples was effected through the marketing and service functions of a single organizations personnel, with an emphasis on managerial, sales, technical, and administrative staff (Hofstede 1980, p. 73). However, considering that these characteristics typify most organizational computer users, this limitation may not be critical for our study. An additional note is that studies that used Hofstedes (2001) cultural dimensions as a theoretical basis should control for age and gender, which was done in this study. Conclusions We examined whether the deterrent effectiveness of security policies, SETA programs, and computer monitoring differ between Eastern and Western cultures using independent samples of computer-using professionals from the U.S. and South Korea. The results suggest that security policies have a greater deterrent effect on U.S. employees while the deterrent effectiveness of SETA programs and computer monitoring is stronger for South Korean employees. The results also point to effectiveness of SETA programs across cultures, as they were associated with lower IS misuse intentions in both samples. From a theoretical perspective, the findings extend the applicability of GDT outside the boundaries of the U.S. Future studies should continue to assess the effectiveness of GDT-based security countermeasures across different countries and cultures. As a final note, the authors are currently collecting additional South Korean survey responses and these results should be available for presentation at the workshop. References Anderson, J.C., and Gerbing, D.W. (1998) "Structural equation modeling in practice: A review and recommended two-step approach," Psychological Bulletin, 103(3), 411-423. Chin, W. (1998) "The Partial least squares approach to structural equation modeling," in: Modern Methods For Business Research, G.A. Marcoulides (ed.), Lawrence Erlbaum Associates, Mahwah, NJ, 295-336. Christie, M.J., Kwon, G. Stoeberl, P.A. and Baumhart, R., (2003) A cross-cultural comparison of ethical attitudes of business managers: India, Korea and the United States, Journal of Business Ethics, 46(3), 263-287. DArcy, J. and Hovav, A. (2007a) Deterring internal information systems misuse: An end user perspective, Communications of the ACM, 50(10), 113-117. DArcy, J. and Hovav, A. 2007b Towards a best fit between organizational security countermeasures and information systems misuse behaviors, Journal of Information System Security, 3(:2), 1-30.

11

DArcy, J., Hovav, A., and Galletta, D. (forthcoming) User awareness of security countermeasures and its impact on information systems misuse: A deterrence perspective, Accepted for publication by Information Systems Research. Dinev, T. and Hu, Q. (2007) The centrality of awareness in the formation of user behavioral intention toward protective information technology, Journal of the Association for Information Systems 8(7), 386-408. Ernst & Young. (2003) "Global Information Security Survey 2003," New York, NY. Foltz, C.B. (2000) "The Impact of deterrent countermeasures upon individual intent to commit misuse: A behavioral approach," Unpublished Doctoral Dissertation, University of Arkansas. Gopal, R.D., and Sanders, G.L. (1997) "Preventative and deterrent controls for software piracy," Journal of Management Information Systems 13(4), 29-47. Harrington, S.J. (1996) "The effect of codes of ethics and personal denial of responsibility on computer abuse judgments and intentions," MIS Quarterly 20(3), 257-278. Hofstede, G. (1980) Culture's consequences: International differences in work- related values, Sage Publications, Beverly Hills, CA. Hofstede, G. (1983) The cultural relativity of organizational practices and theories, Journal of International Business Studies, 14(2), 75-89. Hofstede, G. (2001) Culture's consequences: Comparing values, behaviors and organizations across nations, 2nd ed., Sage Publications, Thousand Oaks, CA. Hu, Q. and Dinev, T. (2005) Is Spyware and Internet nuisance or public menace? Communications of the ACM 48(8), 61-66. InformationWeek. (2005) U.S. information security research report 2005, United Business Media. Kankanhalli, A., Teo, H.-H., Tan, B.C.Y., and Wei, K.K. (2003) "An integrative study of information systems security effectiveness," International Journal of Information Management 23(2), 139-154. Kim, K.I., Park, H.J., and Suzuki, N. (1990) Reward allocation in the United States, Japan and Korea: A comparison of an individualistic and collectivistic cultures, The Academy of Management Journal, 33(1), 188-198. Lee, J., and Lee, Y. (2002) "A Holistic Model of Computer Abuse within Organizations," Information Management & Computer Security, 10(2). Lee, S.M., Lee, S. G., and Yoo, S. (2004) "An integrative model of computer abuse based on social control and general deterrence theories," Information and Management 41(6), 707718. Magklaras, G.B., Furnell, S.M., and Brooke P.J. (2006) "Towards an insider threat prediction specification language," Information Management & Computer Security 14(4), 361-381. Peltier, T.R. (2005) Implementing an information security awareness program, Information Systems Security 14(2), 37-49. Rhee, Y. (2002) Global public relations: A cross-cultural study of the excellence theory in South Korea Journal of Public Relations Research 14(3), 159-184. Sondergaard, M. (1994) Hofstede's consequences: A study of reviews, citations and replications, Organization Studies, 15(3), 447-456. Straub, D.W. (1990) "Effective IS security: An empirical study," Information Systems Research 1(3), 255-276.

12

Straub, D.W. and Welke, R.J. (1998), "Coping with systems risk: Security planning models for management decision making," MIS Quarterly, 22 (4), 441-469. von Solms, R. and von Solms, B. (2004), From policies to culture, Computers & Security, 23 (4), 275-279. Wiant, T.L. (2003) "Policy and Its Impact on Medical Record Security," Unpublished Doctoral Dissertation, University of Kentucky. Wybo, M.D. and Straub, D.W. (1989), "Protecting organizational information resources," Information Resources Management Journal, 2 (4), 1-15.

13