Chapter 1: Introduction (Part 1)

Executive Summary: The Critical Role of Organizational Culture in Cybersecurity Governance

Overview

Technology alone cannot solve information security challenges. Increasingly, research highlights the crucial role of human behavior and organizational culture in shaping cybersecurity outcomes. This research examines how organizational culture influences information security governance, providing valuable insights for boards of directors and cybersecurity executives seeking to mitigate the human risks inherent in IT systems.

Why Culture Matters in Cybersecurity

High-profile disasters across industries—such as the Deepwater Horizon oil spill and the Equifax data breach—demonstrate that organizational culture is often a root cause of catastrophic failures. In both cases, a culture that deprioritized safety or security led to significant financial losses, reputational damage, and regulatory scrutiny. For instance, the Equifax breach, which compromised the personal information of 148 million people, was attributed to a “culture of cybersecurity complacency” and poor governance structures. This led to leadership changes and a reorganization of the company’s security oversight.

Similar patterns are evident in broader corporate governance failures, like those at Enron and Siemens, where weak organizational cultures enabled fraud, corruption, and massive losses. These examples underscore that cultural weaknesses—whether in broader corporate governance or in information security—can have equally devastating consequences.

The Link Between Culture and Governance

Organizational culture encompasses the values, beliefs, and practices that guide behavior within a company. Researchers, including Hofstede and Da Veiga, have shown that cultural factors heavily influence how employees perceive and engage with information security policies, controls, and responsibilities. When culture supports strong governance—emphasizing compliance, accountability, and the importance of security—organizations are better equipped to protect their information assets.

Conversely, cultures that tolerate rule-bending, lack clear communication, or fail to prioritize security create environments ripe for breaches and regulatory violations. The cost of such failures is not limited to direct financial losses; it also includes damage to customer trust, shareholder value, and long-term competitiveness.

Research Gaps and Objectives

While prior studies (notably by Tang et al., 2016) have explored the relationship between organizational culture and information security culture, significant gaps remain. Most research is limited in scope (e.g., focused on a single company or industry), lacks empirical data, or is methodologically complex, making actionable insights difficult for executives.

This study addresses these gaps by:
- Examining a larger and more diverse sample of organizations,
- Focusing specifically on the relationship between six established aspects of organizational culture (as defined by Hofstede et al.) and five key aspects of information security governance (as identified by Da Veiga et al. and Tang et al.),
- Providing empirical evidence to support, refine, or challenge existing theories about how culture influences security governance.

Key Aspects of Information Security Governance

The study uses a composite definition of governance, focusing on:
1. Management adherence to information security policies,
2. Adequacy of controls over information assets,
3. Perceived importance of information security within the organization,
4. Protection of information assets,
5. Positioning and authority of information security functions.

Implications for Business Leaders

For executives and board members, the message is clear: Organizational culture is foundational to effective cybersecurity governance. Efforts to improve security must go beyond technology investments and include deliberate strategies to shape culture—through leadership, policy, communication, and accountability.

By understanding and addressing the cultural factors that influence security behavior, organizations can reduce risk, improve compliance, and enhance resilience against cyber threats. This research provides the empirical foundation and practical focus needed to guide such efforts at the highest levels of corporate leadership

Chapter 1: Introduction (Part 2)

Purpose and Context
This research investigates the empirical relationship between organizational culture—using Hofstede et al.’s (1990) well-established framework—and the five key components of information security governance as defined by Da Veiga et al. (2007) and Tang et al. (2016). The study specifically focuses on companies that have experienced at least one security breach since 2016, as identified by the Privacy Rights Clearinghouse.

Significance and Research Gap
While organizational culture has been extensively studied in management literature, and its impact on various organizational outcomes is widely acknowledged, the intersection of organizational culture and governance—particularly in the context of information security—remains underexplored. Most prior research on governance is qualitative, and empirical, quantitative studies linking culture and governance are rare. This study aims to fill that gap by providing data-driven insights into how organizational culture influences information security governance practices, a critical concern for businesses facing rising cybersecurity threats.

Research Design and Methodology
- Quantitative Approach: The study uses a correlational research design, leveraging statistical analysis to examine relationships between organizational culture (independent variable) and governance (dependent variable).
- Data Sources: Company data was drawn from public platforms such as Glassdoor and LinkedIn, with breach history verified through the Privacy Rights Clearinghouse.
- Frameworks Used:
  - Culture: Hofstede’s model, which identifies dichotomies such as professional/normative and tightly/loosely controlled organizational types.
  - Governance: The five aspects outlined by Da Veiga et al. and Tang et al., which include executive commitment, structure, processes, and more.

Key Research Question and Hypotheses
The core research question is: Can statistical correlations be found between organizational culture (per Hofstede) and the five aspects of governance (per Da Veiga and Tang) among companies with a history of security breaches?

- Null Hypothesis (H0): No correlation exists between the defined organizational culture types and governance aspects.
- Alternative Hypothesis (H1): At least one cultural dichotomy correlates with one or more aspects of governance.

Sub-hypotheses were developed and tested to examine these potential relationships in detail.

Theoretical Foundations
- Organizational Culture: As a multidimensional construct, culture has been debated and measured from various perspectives. Hofstede’s influential model categorizes organizational cultures and has been widely applied, despite some criticism.
- Governance: Research in this area is less mature, especially when linked to cultural variables. Prior studies (e.g., Koh et al., 2005; Tang et al., 2016) suggest that strong, centralized management and top leadership commitment are critical for effective information security governance.

Contributions and Implications
- Filling a Research Void: This study is among the first to quantitatively link specific cultural dimensions with governance outcomes in the context of information security.
- Practical Relevance: Findings could inform how organizations structure their governance and security policies based on underlying cultural attributes. For example, “professional” or “normative” cultures may prioritize information security at higher organizational levels, while “loosely controlled” cultures may place less emphasis, potentially increasing vulnerability.
- Future Research: The study lays a foundation for further empirical work in this intersectional field, encouraging both academics and practitioners to consider cultural diagnostics as part of governance and risk management strategies.

Conclusion
For business executives, this research underscores the measurable impact organizational culture can have on information security governance. Recognizing and strategically shaping cultural attributes may enhance governance effectiveness, reduce breach risks, and support overall organizational resilience in an increasingly complex cybersecurity landscape

Chapter 1: Introduction (Part 3)

Key Definitions  

To provide clarity, several foundational terms are defined:
- Organizational Culture: The collective values, beliefs, and principles that shape how members of an organization interact and behave (Nikpour, 2017).
- Information Security Culture: A sub-culture within organizations, comprising the attitudes, assumptions, values, and knowledge employees apply when interacting with information security systems and procedures (Da Veiga & Martins, 2007).
- Governance (Information Security Governance): The strategic deployment of information security measures to mitigate organizational risk (Da Veiga et al., 2007).
- Cultural Practices and Values: The observable symbols, rituals, and heroes of a culture (practices) and the deeper, often unconscious, core feelings of what is good or bad, normal or abnormal (values) (Hofstede et al., 1990).
- Fear Appeal, Protection Motivation Theory, and Theory of Planned Behavior: Psychological constructs used to understand and influence individual behavior related to security threats and protective actions.

Assumptions and Scope  
The research assumes:
1. Publicly sourced organizational culture data (e.g., from Glassdoor) accurately reflects internal realities.
2. English-language materials are sufficient for the research scope.
3. Researcher-assigned attributions for cultural dimensions are consistent with established literature.

The study’s scope is specifically bounded by the relationship between organizational culture and information security governance (excluding broader aspects of corporate or IT governance). The population studied consists of organizations that experienced data breaches between 2016 and 2020, as identified by The Privacy Rights Clearinghouse.

Methodological Limitations and Delimitations
Several limitations are present:
- Language Bias: Research is limited to English-language sources, potentially excluding relevant international perspectives.
- Confounding Variables: Factors such as national culture, funding, or individual leadership decisions could influence outcomes, making it difficult to establish causality.
- Research Breadth: Due to practical constraints, the study focuses solely on the “Governance” component of information security culture (as defined by Da Veiga et al., 2007 and Tang et al., 2016), rather than attempting to address all facets (e.g., communication, compliance, accountability).

Research Purpose and Findings
The primary aim is to test the generalizability of Tang et al.’s (2016) propositions regarding the role of organizational culture in shaping information security governance. Specifically, the study investigates whether certain cultural characteristics consistently influence the effectiveness of information security governance practices in organizations that have experienced security breaches.

Hofstede et al. (2010) underscore that sub-organizational cultures—such as those related to information security—exist within broader organizational and national cultures, influencing governance practices in complex ways. The literature review contextualizes information security governance within the larger frameworks of corporate and IT governance, highlighting the interdependencies and nuances of each.

Implications for Executives 
- Organizational culture is a critical enabler or barrier to effective information security governance; leaders should be keenly aware of the values and behaviors that shape employee actions.
- Sub-cultures matter: Information security culture operates as a distinct sub-culture, which may be at odds with or reinforced by broader organizational norms.
- No one-size-fits-all approach: National culture, leadership, and organizational context can all influence the success of governance initiatives.
- Further research is needed: While propositions exist, more empirical studies are required to establish robust, actionable theory on how culture and governance interact in the security domain.

Conclusion
Understanding and actively managing organizational culture is fundamental to strengthening information security governance. Executives should recognize the interplay between culture and governance, invest in culture-shaping initiatives, and support ongoing research to address evolving security challenges.

Literature Review (Part 1)

Summary for Business Executives

This literature review synthesizes key academic work on the interplay between organizational culture and governance, with particular attention to information security culture and organizational culture. The review draws from a broad base of sources—including books, peer-reviewed journals, conference proceedings, and doctoral dissertations—to establish a comprehensive, contemporary understanding of these topics relevant to modern organizations.

Approach and Methodology

The review was conducted using a systematic approach. Literature from 1979 onward was considered for organizational culture, aligning with its emergence as a scholarly field, while information security governance literature was included from 1990, reflecting its more recent academic recognition. The researcher employed Boolean logic in database searches—combining terms like “cybersecurity” and “organizational culture”—to focus on the intersection of culture and governance. This ensured the inclusion of both broad contextual works and targeted studies on independent (organizational culture) and dependent (governance) variables. Key foundational theorists such as Hofstede and Schein were central to the analysis, given their influence on subsequent research.

Key Concepts Differentiated

  
  - Organizational culture is the shared learning, values, and practices that shape how an organization solves problems of internal integration and external adaptation (Schein, 2017).
  - Information security culture is a sub-culture within organizations, focusing on shared norms, behaviors, and values around protecting digital assets.
  - National culture, per Hofstede, is the set of values and behaviors individuals inherit by being born into a particular country, distinct from the organizational culture they later join.

- Governance Concepts:  
  - The literature differentiates governance (broadly, the systems and processes for decision-making and control) from corporate governance (focused on board and shareholder oversight), IT governance (oversight of information technology), and information security governance (specific policies and structures for managing cybersecurity risks).

Theoretical Foundations of Culture

Hofstede and Schein are leading authorities:
- Hofstede classifies culture as “the software of the mind,” identifying six dimensions of national culture (power distance, individualism/collectivism, masculinity/femininity, uncertainty avoidance, long-/short-term orientation, indulgence/restraint). He cautions against conflating national and organizational cultures, as the former is innate and the latter acquired.
- Schein proposes a structural model, with culture comprising artifacts, values, and underlying assumptions. He highlights the layered nature of culture—national, organizational, and sub-organizational—and the risk of researcher bias when analyzing cultures nested within one another.

East-West and National Culture Distinctions

Decades of research (Rozen et al., 2016; Hofstede et al., 2010) show profound differences between Eastern and Western cultures, influencing thinking styles, individualism, and approaches to uncertainty. For example, Chinese and American organizations score differently on key cultural dimensions, affecting how governance and security practices are implemented and received.

Implications for Multinational Organizations

The findings highlight the critical need for multinational firms to recognize and adapt to the distinctiveness of national and organizational cultures. Strategies successful in one cultural context may not translate directly to another due to ingrained differences in values and practices.

Research Gaps and Ongoing Debate

While Hofstede’s framework underpins much empirical research, it is not without criticism, and ongoing debate persists about its applicability and limitations. The review acknowledges these critiques but recognizes the framework’s enduring influence.

Conclusion

This literature review lays the groundwork for examining how organizational culture impacts information security governance. It stresses the importance of distinguishing between types of culture, understanding their influence on governance structures, and recognizing the complexity added by multinational operations. For executives, the takeaway is clear: effective governance—especially in information security—requires nuanced, context-sensitive approaches that account for both organizational and national culture.

Chapter 2: Literature Review (Part 2)

Understanding Organizational Culture

Organizational culture is a complex and multifaceted concept, influencing every aspect of how organizations operate and adapt to challenges. While no single definition is universally accepted, scholars generally agree that organizational culture is holistic, historically shaped, rooted in rituals and symbols, socially constructed, intangible (or “soft”), and inherently resistant to change (Hofstede et al., 2010). It comprises shared values, norms, assumptions, and beliefs among members, directly shaping employee attitudes, decisions, and behaviors (Pietersen, 2017; Schein, 2017).

Schein (2017) describes culture as the collective learning a group accumulates while solving problems of both external adaptation and internal integration, which becomes so ingrained that it is taught as the correct way to think and behave. This complexity, combined with diverse research perspectives, makes measuring and managing culture challenging, but not impossible. Tools developed by Hofstede and others provide frameworks for identifying key cultural attributes, which can be foundational for targeted change initiatives (Covas, 2019).

Hofstede’s Six Dimensions of Organizational Culture

Hofstede et al. (2010) identified six dimensions that help organizations diagnose and understand their cultures:

1. Process- vs. Results-Oriented:
   Process-oriented cultures focus on risk avoidance and routine tasks, with minimal effort expended—drug manufacturers are a prime example. Results-oriented cultures, by contrast, thrive on challenge, tolerate uncertainty, and expect maximal individual effort.

2. Employee- vs. Job-Oriented: 
   Employee-oriented cultures prioritize personal welfare and group decision-making, while job-oriented cultures emphasize task completion, individual accountability, and often place job requirements above personal concerns.

3. Parochial vs. Professional:  
   Parochial cultures foster strong employee identification with the organization, sometimes extending organizational norms into personal life. Professional cultures focus on job competence, uphold clear boundaries between work and private life, and recruit based on skills rather than fit with organizational social norms.

4. Open vs. Closed Systems:  
   Open systems are welcoming to outsiders and help new employees integrate quickly. Closed systems are more secretive and insular, with slow orientation for newcomers; this dimension is often influenced by national culture.

5. Loose vs. Tight Controls: 
   Loose control environments are informal, flexible with costs and schedules, and foster a relaxed atmosphere. Tight control cultures are cost- and schedule-conscious, formal, and discourage informality.

6. Normative vs. Pragmatic: 
   Normative cultures prioritize strict adherence to rules, ethics, and procedures, sometimes at the expense of results. Pragmatic cultures focus on customer needs, results, and a practical approach to ethics and rules.

Information Security Culture as a Subculture

Organizational subcultures often emerge within functions or departments, especially in areas like information security. Research since the early 2000s has explored how information security culture is shaped and how it can be measured and managed (Chen et al., 2015; Da Veiga et al., 2007).

Key findings include:
- Information security culture is a subtype of organizational culture, encompassing shared assumptions about acceptable security behaviors (Martins & Eloff, 2002).
- Employee participation in security governance increases ownership and responsibility, but formal processes and strong management leadership are crucial for fostering desired security behaviors (Koh et al., 2005; Thomson et al., 2006).
- A strong security culture requires more than compliance; it must be internalized as “the way things are done” (Donahue, 2011).

Strategic Implications

- Culture is a critical lever for long-term organizational success and resilience. Understanding and intentionally managing culture—overall and within key subcultures like information security—can support adaptation and effective risk management.
- Measurement is the first step toward change. While difficult, using frameworks like Hofstede’s dimensions aids in identifying areas for cultural alignment or transformation.
- Leadership and participation are essential. Management must set clear directives and foster employee engagement to shape both general organizational culture and specific subcultures such as information security.
- Culture impacts the bottom line. Losses related to poor security culture (e.g., data breaches, turnover) are tangible and measurable (Astakhova, 2015), underlining the value of investing in cultural development.

In sum, organizational culture is both a source of competitive advantage and a potential vulnerability. Conscious cultivation of both broader organizational values and key subcultures, such as security, is essential for sustainable performance and risk mitigation.

Chapter 2: Literature Review (Part 3)

 Organizational Culture, Information Security, and Governance

Overview: 
Recent research highlights the intricate relationship between organizational culture and information security culture, emphasizing the influence of leadership, perceptions, and compliance frameworks in shaping effective security practices. Executives must recognize that security culture is not just a technical or operational matter, but one deeply rooted in organizational behaviors, values, and governance structures.

Organizational vs. Information Security Culture: 
Organizational culture, as defined by frameworks such as Hofstede et al. (1990), encompasses the collective human capital and shared values within a company. Information security culture, as proposed by Da Veiga et al. (2007), focuses on norms and practices that support the protection of information assets. While both are interrelated, the precise nature of their relationship remains underexplored. Tang et al. (2016) attempted to bridge this gap by examining a Chinese manufacturing firm, noting potential connections between cultural frameworks but calling for further empirical research.

Challenges in Defining and Measuring Security Culture:  
Early research concentrated on describing and measuring information security culture, but recent studies have identified gaps and dysfunctions. Roni et al. (2017) highlighted that culture could perpetuate negative behaviors, especially when management fails to enforce policies. Nasir et al. (2018) validated a model for information security culture—encompassing procedural controls, risk management, training, top management commitment, monitoring, knowledge, and sharing—but acknowledged that a universally accepted definition is still lacking.

Compliance Frameworks and Their Cultural Impact:

- PCI-DSS (Payment Card Industry Data Security Standard):  
  PCI-DSS mandates strict technical and operational controls for organizations handling credit card payments, with significant penalties for non-compliance. While it is primarily technical, its integration into daily business practices reflects a cultural element of security. Despite this, compliance rates have declined due to the ongoing challenges of maintaining standards, suggesting that policy adherence alone is insufficient without cultural buy-in.

- OECD (Organization for Economic Cooperation and Development):  
  The OECD promotes the development of information security culture across its 36 member nations, influencing both public and private sectors through policy alignment and international standards. The organization’s focus is on embedding security values beyond compliance, fostering a culture of security awareness and shared responsibility.

Governance and Its Dimensions:  
Governance is a central component influencing information security culture. Da Veiga et al. (2007) identified governance as encompassing management’s adherence to policy, asset protection, control, and the perceived importance of information security. Effective governance, therefore, requires more than documented policies—it demands visible and sustained commitment from leadership, clear allocation of responsibility, and ongoing engagement at all organizational levels.

The Role of Perception:  
Perceptions—both internal and external—play a pivotal role in shaping security culture. Research shows that gaps in communication or leadership emphasis can lead to inconsistent security behaviors and increased risk. Perceptions of risk and priorities differ among staff, management, and executives, necessitating tailored approaches to ensure alignment. Negative public perceptions following security incidents can translate into tangible financial losses, underscoring the need for proactive and transparent communication strategies.

Positioning Information Security Within the Organization:  
Where information security resides within the organizational structure impacts its effectiveness. As seen in both academic and industry studies, placing security under top management’s purview and ensuring their commitment are critical. Security culture must be reinforced at all levels, from policy setting to daily operations, to drive compliance and resilience.

Key Takeaways for Executives:

1. Security culture must be actively shaped by leadership, not left solely to technical teams.
2. Compliance frameworks are necessary but not sufficient—cultural integration is essential for sustained security.
3. Regular assessment of employee perceptions and engagement can help identify and address cultural weaknesses. 4. Positioning information security as a strategic priority and clearly assigning governance responsibilities are crucial.
5. Open communication and ongoing education foster a security-aware workforce and support organizational objectives.

In summary, information security effectiveness is as much about people and culture as it is about technology and policy. Executives must lead by example, reinforcing a culture where security is integral to business success

Chapter 2: Literature Review (Part 4)

Legislative Drivers: Sarbanes-Oxley and Beyond
The Sarbanes-Oxley Act (SOX) of 2002 was a landmark piece of legislation enacted in response to major corporate governance failures (e.g., Enron, WorldCom). SOX shifted the governance landscape by imposing federally mandated corporate governance practices on publicly traded companies, moving beyond mere disclosure to require direct executive accountability for financial reporting accuracy. Specifically, Section 404 mandates that management must report on the effectiveness of internal controls over financial reporting, with independent audits attesting to these controls.

The frameworks most commonly used to ensure SOX compliance are COBIT (Control Objectives for Information Technologies) and COSO (Committee of Sponsoring Organizations of the Treadway Commission). These provide structured approaches to internal control, risk assessment, and IT governance.

While SOX and similar regulations specify clear lines of accountability for public companies, the governance landscape is more varied for private organizations. Here, the distribution of power and responsibility for cybersecurity can range from a sole proprietor to a board-driven model. Nevertheless, best practice suggests that boards should treat cybersecurity as a strategic risk, integrating it into ongoing governance activities.

Corporate Governance and Information Security
Corporate governance broadly encompasses the equitable distribution of risk and responsibility in achieving organizational goals, with the board of directors playing a central role. Increasingly, boards recognize cybersecurity as a material business risk. Some boards are appointing cybersecurity experts to advise on risk and strategy, further institutionalizing information security governance.

Information technology (IT) governance is now considered a board-level responsibility, focused on enabling and protecting business value. Frameworks like COBIT 2019 and ISO/IEC 27001 explicitly outline governance roles for boards, executive committees, and senior management, specifying how information security should be integrated into broader business processes.

The Role of Top Management
A recurring theme in both research and standards is the critical importance of top management commitment to information security. Effective security culture requires visible support from executives, resource allocation, communication of priorities, and integration of security objectives into business strategy. For example, ISO/IEC 27001 details eight ways for management to demonstrate commitment, including policy alignment with strategy, resource provision, and ongoing improvement.

Research underscores that management must not only set policies but actively participate in implementation and reward compliant behavior. Management’s adherence to and promotion of information security policy is vital; without visible leadership and employee engagement, policies may fail to change behavior or reduce risk.

Policy, Awareness, and Culture
Policies are the primary means by which management communicates expected behaviors. Studies show a direct correlation between policy awareness and a positive information security culture, resulting in more risk-averse behavior and fewer security incidents. However, policy alone is insufficient; awareness, education, and training are necessary to make policies effective. Compliance requirements like SOX further reinforce the need for robust policy adherence, especially when information security controls underpin the integrity of financial reporting.

Asset Protection and Threat Control
Governance frameworks distinguish between asset protection (identifying and mitigating threats) and threat control (ensuring effectiveness of protections). While frameworks like COSO address internal controls and risk at the corporate level, others like COBIT and ISO/IEC 27001 are more focused on IT and information security, respectively. Notably, ISO/IEC 27001 does not differentiate between digital and physical assets, underscoring the need for a holistic approach to information security.

Conclusion
Modern governance standards demand a proactive, integrated approach to information security. Executives and boards must lead by example, embedding security into the fabric of organizational governance, aligning with legislative requirements, and leveraging internationally recognized frameworks to safeguard assets and maintain stakeholder trust.

I'm going to skip to Chapter 5.  I recommend reading the dissertation (link above) if you're interested in how I arrived at these conclusions. 

 

Chapter 5: Conclusions and Recommendations

Key Findings and Interpretations

1. US-Centric, Exploratory Results:  The findings are primarily based on US organizations, as efforts to compare with non-breached or international firms were unsuccessful. While results are not globally generalizable, they provide strong exploratory evidence for the US context.

2. Culture and Governance Link: Quantitative analysis confirms that organizational culture measurably affects information security governance. This relationship is complex and influenced by broader national culture, meaning recommendations should be contextualized for multinational organizations.

3. Cultural Dimensions Impact Security:
   
   - Loose vs. Tight Cultures: Organizations with a “loose” culture—casual attitudes toward processes, budgets, and policies—tend to have poorer cybersecurity outcomes. A lack of rigor in security planning and enforcement increases breach risk.
   
   - Employee vs. Job Orientation: Highly employee-oriented organizations may inadvertently deprioritize security if employee needs consistently outweigh job and operational requirements.
   
   - Process vs. Results Orientation: Process-driven organizations that prioritize procedures over outcomes can hinder effective security implementation, as strict adherence to process may mean insufficient focus on real threat mitigation.
   
   - Parochial vs. Professional: Professional cultures, where identity is tied to career and professional standards, show stronger information asset protection. Excessive parochialism, which blurs work-life boundaries and emphasizes personal over organizational interests, can undermine security compliance.

4. Role of Leadership: In most breached organizations, the CISO was accountable for security at the time of the incident. This raises questions about whether cultural factors, rather than individual leadership, are the root issue when breaches occur despite experienced security leaders.

5. Sector Vulnerability – Healthcare: Medical organizations represented a disproportionately high share of multiple breaches. Small healthcare entities often lack sufficient resources, while larger ones may be culturally slow to adapt to the fast-evolving threat landscape, reflecting the difficulty of changing entrenched cultures.

6. Repeat Breaches and Cultural Stagnation: Organizations suffering multiple breaches often exhibit unaddressed cultural weaknesses, suggesting that technical solutions alone are insufficient without cultural change.

Recommendations for Leaders

- Assess and Align Culture: Security leaders should regularly evaluate their organization’s cultural attributes, particularly those linked to negative security outcomes (e.g., “loose” or overly employee-oriented cultures).
- Integrate Governance and Culture: Recognize that responsibility for security extends beyond the IT/security team. The collaborative nature of problem-solving and the broader organizational culture must be addressed in governance strategies.
- Focus on Persistent Issues: For organizations experiencing repeated breaches, conduct in-depth cultural assessments to identify and remediate underlying attitudes or practices undermining effective security.
- Tailor Strategies Internationally:  Multinational organizations must consider local and national cultural factors when applying these findings, as what works in the US may not translate directly elsewhere.

Future Research Directions

- Compare with Non-Breached Firms: Further studies should include organizations that have avoided breaches to better understand protective cultural attributes.
- Expand Internationally: Replicating this research in other countries will clarify the role of national culture in security governance.
- Mixed Methods and Leadership Insights: Combining quantitative and qualitative approaches—including interviews with security leaders—can provide a deeper understanding of the interplay between culture and security outcomes.
- Experiment with Cultural Change: Research into specific interventions to shift harmful cultural dimensions toward more secure orientations is recommended.

Conclusion

This study underscores that organizational culture is a critical, often underestimated factor in information security. Executives should prioritize cultural diagnostics and change management as core components of their security governance programs, particularly in sectors and organizations with histories of repeated breaches.