DATA PROTECTION AND EMPLOYEE BEHAVIOUR: THE ROLE OF INFORMATION SYSTEMS SECURITY CULTURE Lena Connolly Business Information Systems Group National University of Ireland Galway Ireland Michael Lang Business Information Systems Group National University of Ireland Galway Ireland ABSTRACT The proliferation of information in modern society, as enabled by technologies such as portable personal devices, social media, and “cloud”-based services, presents a potentially serious threat to individual privacy and the security of corporate data. Despite various technology tools designed to protect organisations’ vital information assets, security breaches within organisations continue to occur. In the 1990s, researchers realised that technical tools alone cannot solve the problem of IS security incidents and they began to focus their attention on socio-organisational aspects. A “human factor” problem has been recognised as the root cause of many security breaches. According to recent research, information security culture needs to be created in organisations in order to promote security-cautious behaviour of employees to avoid such incidents. The concept of information security culture is relatively new and research on this topic is underdeveloped. We submit that there is a need for research that explores the principal factors that impact upon the fostering of information security culture within organisations and how these factors change within different cultural contexts. KEYWORDS Information Systems Security, Information Security Culture, Organisational Culture, National Culture, Employee Behaviour. 1. INTRODUCTION Information Systems (IS) security has evolved from addressing relatively minor security breaches to managing those with huge potential impact on organisations’ economic growth and reputation. Historically, organisations emphasised a technological approach in order to protect their information assets. However, recent research shows that human beings are the weakest link in the security chain and the root cause of most security breaches (da Veiga and Eloff 2010). Some contemporary research shows that establishing an organisational information security culture (ISC) can help in addressing this problem of the “human factor” in security management. It is only in recent years that the potential value of ISC within an organisation gained recognition by IS scholars as an important aspect in sustaining a sufficient level of information systems security in that organisation (Knapp et al. 2006, da Veiga and Eloff 2010). ISC promotes security-cautious behaviour of employees and therefore can help to