Interpreting information security culture: An organizational transformation case study

When two companies merge, technical infrastructures change, formal security policies get rewritten, and normative structures clash. The resultant changes typically disrupt the prevalent security culture, thus making the new organization highly vulnerable. Literature in this area has been rather scant, and there is a lack of empirical studies. In this paper, we use Hall's (1959) theory of cultural message streams to evaluate disruptions in security culture following a merger. We carry out an extensive case study of a telecom firm. Data were collected whilst the merger was taking place, which allowed us to evaluate the changing structures in real time. Findings from our analysis will be beneficial for researchers and practitioners alike. For researchers, it provides an opportunity to theorize about security culture formulation during a merger. At a practical level, decision makers will find this analysis useful for engaging in strategic security planning.