Information security policies and value conflict in multinational companies

Abstract

PurposeThe purpose of this paper is to examine challenges multinational companies face during the diffusion of their information security policies. Parent companies use these policies as their discourse for legitimization of their practices in subsidiaries, which leads to value conflicts in subsidiaries. The authors postulate that, when properly crafted, information security policies can also be used to reduce the very conflicts they are creating.Design/methodology/approachThe proposed framework is conceptualized based on the review of literatures on multinational companies, information security policies and value conflict.FindingsThe authors identified three factors that may lead to value conflict in subsidiary companies: cultural distance, institutional distance and stickiness of knowledge. They offer three recommendations based on organizational discourse, ambidexterity and resource allocation to reduce value conflict.Research limitations/implicationsThe authors postulate that information security policies are the sources of value conflict in subsidiary companies. Yet, when crafted properly, these policies can also offer solutions to minimize value conflict.Practical implicationsThe proposed framework can be used to increase policy diffusion success, minimize value conflict and, in turn, decrease information security risk.Originality/valueThe growing literature on information security policy literature is yet to examine the diffusion of policies within multinational companies. The authors argue that information security policies are the source of, and solution to, value conflict in multinational companies.