Abstract
Purpose - The purpose of this paper is to examine challenges multinational companies face during the diffusion of their information security policies. Parent companies use these policies as their discourse for legitimization of their practices in subsidiaries, which leads to value conflicts in subsidiaries. The authors postulate that, when properly crafted, information security policies can also be used to reduce the very conflicts they are creating. Design/methodology/approach - The proposed framework is conceptualized based on the review of literatures on multinational companies, information security policies, and value conflict. Findings - The authors identified three factors that may lead to value conflict in subsidiary companies; cultural distance, institutional distance, and stickiness of knowledge. They offer three recommendations to reduce value conflict; organizational discourse, ambidexterity, and resource allocation. Research implications - The authors postulate that information security policies are the sources of value conflict in subsidiary companies. Yet, when crafted properly, these policies can also offer solutions to minimize value conflict. Practical implications - The proposed framework can be used to increase policy diffusion success, minimize value conflict, and in turn, decrease information security risk. Originality/value – The growing literature on information security policy literature has yet to examine the diffusion of policies within multinational companies. The authors argue that information security policies are the source of, and solution to, value conflict in multinational companies.
5. Discussion and conclusion
The main thesis of our paper is that information security policies are sources of, and solutions to, value conflict in MNCs. We postulate that these policies create value conflict when transferred from parent companies to their subsidiaries. The level of conflict is likely to increase with cultural and institutional distances between the parent and subsidiary company. Moreover, the stickiness of the information security context would exacerbate the potential of value conflict. In response to these issues, we recommend that security policies can be used to outline discursive strategies, increase ambidexterity of parent companies, and provide resource allocation in order to minimize value conflict. As an illustration of our recommendations, we can focus on a MNC headquartered in Germany with two subsidiaries located in the Czech Republic and China. In such an organizational set-up, the legitimization of parent company’s information security policies will create distinct value conflicts within each subsidiary. Table 3 presents a comparison of these countries based on the measures such as Hofstede’s cultural distance (Hofstede, 2017), World Development Indicators (The World Bank, 2017), and Worldwide Governance Indicators (Kaufmann et al., 2010). The selected measures suggest that legitimization process will be more difficult in the subsidiary in China. On the other hand, because wireless network security policies have more sticky technology requirements (e.g., network design, router setup, etc.) than acceptable use policies which are more of a code of conduct in general, diffusion of the actual policy requirements will be more problematic for the subsidiary in the Czech Republic.
