CISO Influence: The Role of the Power Distance Index and the Uncertainty Avoidance Dimensions

Whether it’s communicating in the boardroom, communicating during a crisis such as a data breach or communicating to subordinates, CISOs must carefully weigh the impact of their words. But they also have to recognize that the cultural norms of their audience will result in the same message being perceived quite differently across national or organizational cultures. Thus, today’s CISOs would be wise to consider their own cultural norms and that of their audience when crafting a message. This article covers two such norms with a high degree of relevance to those in security leadership: Power Distance Index and the Uncertainty Avoidance Index.

In his 2008 book “Outliers,” Malcolm Gladwell traces several aviation disasters to a breakdown in proper cockpit communications due to cultural factors that prevented the co-pilot from properly relaying the urgency of a situation. Gladwell points to the Power Distance Index (PDI) as a major factor in those crashes.

Pilots are trained to follow a strict protocol of sterile cockpit communication during takeoffs and landings to provide maximum signal to each other while also allowing for important updates or alerts to provide the best possible outcome in case of a flight emergency. Not only must pilots and co-pilots think clearly, but they also have to communicate in a way that leaves virtually no doubt as to the meaning being conveyed.

Note that not everyone agrees with Gladwell’s argument connecting PDI as a major factor in the airline crash cases he covers. The reader is encouraged to read this rebuttal regarding Korean Air’s disasters.

About the Power Distance Index

The Power Distance Index is a term coined by professor Geert Hofstede, a Dutch social psychologist — and former IBM employee — who developed a framework for assessing the effect of national and organizational culture on behavior. The initial framework consisted of four key elements: power distance index (PDI), uncertainty avoidance (UAI), individualism (IDV) and masculinity (MAS). Later, two additional dimensions were added: long-term orientation (LTO) and indulgence versus restraint (IVR). Let’s explore the first two in more detail since they relate to the impact of CISOs’ words and actions on the behavior of their audience.

Hofstede defined PDI as “the extent to which the less powerful members of organizations and institutions (like the family) accept and expect that power is distributed unequally.” This is meant to be a measure of the tolerance for power and inequality from the perspective of the person with less power. Thus, a manager giving an order in a high-PDI culture will expect full compliance from the lower ranks.

According to Hostede’s data, the five countries with the lowest PDI are: Austria (11), Israel (13), Denmark (18), New Zealand (22) and the German-speaking parts of Switzerland (26). The five countries with the highest PDI (i.e., the highest tolerance for power inequality) are: the Philippines (94), Guatemala (95), Panama (95), Malaysia (104) and Slovakia (104). For comparison, the U.S. scores 40, Great Britain scores 35, Germany scores 35 and France scores 68.

Measuring Uncertainty Avoidance

UAI measures “a society’s tolerance for uncertainty and ambiguity. It indicates to what extent a culture programs its members to feel either uncomfortable or comfortable in unstructured situations. Unstructured situations are novel, unknown, surprising [and] different from usual.”

National cultures with high degrees of UAI will be more likely to have strict laws and believe in a unique, absolute truth. Conversely, uncertainty-accepting cultures are more likely to be tolerant of opinions that differ from their own and consider the validity of someone else’s opinion. Hostede’s data shows the five countries with the lowest UAI are Singapore (8), Jamaica (13), Denmark (23), Sweden (29) and Hong Kong (29). The five countries with the highest UAI are Belgium-Netherlands (97), Uruguay (100), Guatemala (101), Portugal (104) and Greece (112). For comparison, the U.S. scores 46, Great Britain scores 35, Germany scores 65 and France scores 86.

The combination of PDI and UAI can provide surprising results. For example, the profile of the French culture along these two dimensions (PDI of 68 and UAI of 86) shows a culture in which laws and structure are expected, but “given the high score on power distance, which means that power holders have privileges, power holders don’t necessarily feel obliged to follow all those rules which are meant to control the people in the street. At the same time, commoners try to relate to power holders so that they can also claim the exception to the rule.”

Analyzing Communication Patterns

Taken together, the PDI and the UAI provide a framework to analyze one’s own reasoning and interactions with others. For example, someone coming from a high-PDI culture will expect his or her orders to be acted upon without question. Worse, if the listener is from a low UAI culture, he or she may not seek additional input or clarification from the boss, which could result in the execution of an incomplete or erroneous task.

A 2010 paper titled “Exploring the Influence of National Cultures on Non-Compliance Behavior,” published in the journal of the International Information Management Association, confirmed the influence of national culture on employee behavior. It also cautioned that in countries with low UAI scores, employees might seem more willing to “bend the rules” based on their own personal judgment.

As the sphere of interaction for CISOs continues to expand, so, too, grows the potential for communicating to different types of cultural backgrounds — including the you-must-not-be-from-IT culture. Take a moment to consider your own cultural profile and that of your audience when crafting the message at hand.

Share this Article:
Christophe Veltsos

InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information Security and Information Warfare classes. Beyond the classroom, Chris is also very active in the security community, engaging with community groups and advising business leaders on how to best manage information security risks.