CCE Theses and Dissertations

Date of Award


Document Type


Degree Name

Doctor of Philosophy (PhD)


College of Computing and Engineering


Ling Wang

Committee Member

Junping Sun

Committee Member

Gregory Simco


information science, information security, information security procedural countermeasures (ISPC), organizational culture, SETA (security, education, training and awareness)


This study examined the impact of specific organizational cultures on information security procedural countermeasures (ISPC). With increasing security incidents and data breaches, organizations acknowledge that people are their greatest asset as well as a vulnerability. Previous research into information security procedural controls has centered on behavioral, cognitive, and social theories; some literature incorporates general notions of organization culture yet there is still an absence in socio-organizational studies dedicated to elucidating how information security policy (ISP) compliance can be augmented by implementing comprehensive security education, training, and awareness (SETA) programs focusing on education, training, and awareness initiatives.

A theoretical model was developed to examine the effect of types of organizational culture on ISPC. The types of organizational culture were bureaucratic, competitive, participative, and learning culture.

To evaluate the reliability of the model, a survey was conducted by Centiment utilizing responses from its panel. The types of organizational culture and ISPC were from well-known scales derived from the literature. Data were collected from the subjects using an online survey form with a Likert scale and demographic data such as age, gender, education, industry, and size of organization.

Data analysis showed bureaucratic organizational culture significantly influenced both ISP and SETA, but the effect was positive instead of negative as hypothesized. Learning organizational culture had a significant positive effect on SETA. Both competitive organizational culture and participative culture did not have a significant effect on ISP or SETA. Learning organizational culture did not have a significant effect on ISP. This study added to the body of knowledge by adding a socio-organization aspect to understanding employees’ non-compliance and adherence to ISP and SETA. The study revealed a correlation between socio-organizational understanding and compliance to ISP and SETA. As such, better policies and training can be produced with less detrimental influence for organizations looking to follow regulations efficiently.