Enforcing information security policies through cultural boundaries: a multinational company approach

Information security policies can be considered as guidelines and used as a starting point to create a security structure within an organization. Although practitioners continuously emphasize the importance of such policies, information system scholars have not paid the required attention to this context from the cross-cultural perspective. The purpose of this study is to look at the cultural and institutional differences of a multinational company (MNC) and its subsidiaries, and discuss how these differences affect the MNC’s strategy to enforce corporate information security policies to its subsidiaries in different cultural settings. The proposed framework considers the effects of the cultural distance, national economy, institutional distance, and stickiness of the knowledge transfer on the process of enforcing information security policies from the parent company to its subsidiaries.