An Integrative Framework For Knowledge Management Capability, Information Security
Compliance, And Internationalization
Kamphol
Wipawayangkool, Sam Houston State University, Huntsville,
USA
ABSTRACT:
This paper addresses two topics contemporary to both knowledge management and internationalization phenomena. First, in this information-sensitive era, internationalizing firms are typically required to comply with the host country’s information security regulations. Second, with the emergence of virtual teams, how virtual teams affect knowledge management capability and subsequently internationalization becomes relevant to many modern firms. Specifically, drawing from organizational information processing theory, this paper proposes an integrative framework by examining the influence of the fit between knowledge management capabilities particularly contributed by the effectiveness of knowledge creation processes in virtual teams and the extent of information security compliances on the extent of internationalization of the firms. Unlike much of prior academic literature focusing on American firms, this paper discusses how certain American security compliances possess challenges for foreign firms attempting to internationalize their businesses. Implications for researchers and managers are discussed.
Keywords: Knowledge
management, Virtual teams, Information security compliances,
Internationalization
1. Introduction
A common goal for many modern firms is to become internationally competitive. To achieve such a goal, firms first must be able to enter foreign markets; as a result, certain security compliances of host countries are required (Gerber & von Solms, 2008; Luthy & Forcht, 2006). Firms face challenges in being accustomed to foreign security regulations and laws and learning how to manage them. Specifically, such firms need to know how to create and utilize necessary knowledge effectively in order to comply with those standards. As a result, both knowledge management capability and information security compliance affect the extent to which a firm can internationalize its business. Nonetheless, in international business literature, study exploring beyond the availability of knowledge-based resources or merely knowledge management capability is rather scarce. Furthermore, with the swift emergence of virtual teams in modern firms, it is crucial that researchers pay attention to how specifically virtual teams affect knowledge management capability especially knowledge creation process (Lee & Cole, 2003) since it indeed initiates and affects overall knowledge management process and consequently internationalization of the firm.
Overall, this paper aims to discuss the role of knowledge management and information security in internationalization phenomena. Specifically, drawing from organizational information processing theory, this paper examines the role of the fit between knowledge management capabilities particularly contributed by the effectiveness of knowledge creation processes in virtual teams and the extent of information security compliances. As Hitt et al. (2006) recommended in their review article that researchers pay more attention to the role of institutional factors and as the inclusion of information security regulations and compliances in international business context is rather lacking, this paper contributes to the literature by providing a theoretical framework that integrates knowledge creation in virtual teams on knowledge management capabilities, information security compliances, and internationalization for future researchers to explore further this interdisciplinary research stream.
This paper is organized as follows. First, literature background on internationalization, knowledge management capability, knowledge creation in virtual teams, and information security compliances are discussed. Second, the organizational information processing theory is discussed to provide the theoretical foundation for the research model and propositions. Finally, implications for researchers and managers, limitations, and conclusion of this paper are discussed.
2. Literature Background And Propositions Development
2.1. Internationalization
Internationalization is defined as a strategy through which a firm expands its business into different geographic locations or markets (Hitt et al., 2006). Firms internationalize for a number of reasons such as to gain competitive advantage (Hitt et al., 2006), to increase returns of investment (Hymer, 1976), and to compensate the inefficiencies of doing business in the current market (Hennart, 1982). Hitt et al. (2006) provided an intensive review on antecedents, outcomes, and moderators in internationalization. The antecedents include factors such as top management team characteristics (Herrmann & Datta, 2005), firm structure (Sanders & Carpenter, 1998), and processes and resources (Tseng et al., 2007). The extent of internationalization may be measured in terms of scale and scope. Relevant to this paper is the discussion of the moderators which include institutional factors. For example, Calof and Beamish (1995) found that regulation influences the mode of internationalization. Nonetheless, finding that current status of the evidence of the relationship between host country regulations and internationalization is mixed, Hitt et al. (2006, p. 859) recommended that future researchers focus more on the role of institutional factors.
A firm faces a number of difficulties when aiming to internationalize its operations. Drawing from the resource-based theory, Cuervo-Cazurra et al. (2007) categorized three sets of the difficulties as: resources losing their advantages when they are transferred abroad, resources creating disadvantages when they are transferred abroad, and complementary resources required to operate in the new country are lacking. Although all those difficulties might be applicable to this paper, given that the objective is to emphasize the role of host-country information security compliances, the lack of complementary resources is conceivably most relevant. Indeed, Cuervo-Cazurra et al. (2007) categorized further that the lack of complementary resources includes liability of foreignness which is caused by institutional environment factors of the host country. Firms need to create complementary resources to alleviate such a difficulty. Prior literature shows that knowledge-based resources particularly technological and marketing knowledge significantly affects the extent of internationalization of a firm (Tseng et al., 2007). Thus, it is reasonable to infer that aiming to internationalize, a firm needs to create and apply complementary knowledge such as in technology and marketing in order to comply with host country’s regulations and laws. Indeed, Chari et al. (2007) found that greater investment in technology promotes capability in coordinating and processing information, and that such an improvement increases the extent of internationalization and ultimately improves firm performance. Therefore, it can be deduced further that internationalizing firms need not only complementary knowledge but also effective knowledge management process, the statement to be elaborated next.
2.2. Knowledge Management
Capability
The discussion of internationalization above results in a suggestion that the capabilities to manage complementary knowledge are crucial in both complying with the requirements of certain regulations and laws and determining the extent of internationalization of a firm. First, based on the theory of complementarities, complementary knowledge refers to a set of knowledge that produces greater returns than the sum of their individual return (super-additive) (Tanriverdi, 2005). In this case in order to internationalize, firms need to create relevant knowledge (such as regarding technology and marketing) that can help firms comply with foreign regulations and laws. Nonetheless, possessing complementary knowledge does not guarantee the success of being complied and internationalized.
Second, effective knowledge management capabilities pertinent to different sets of complementary knowledge are needed. Knowledge management capability refers to a firm’s capability to create, transfer, integrate, and utilize related and necessary knowledge in a domain to benefit the firm’s desired performance (adapted from Tanriverdi, 2005). Tanriverdi (2005) found that knowledge management capability mediates the relationship between the use of common technology and management across business units and firm performance. In sum, firms need to know how to effectively create, transfer, integrate, and utilize complementary knowledge in order to achieve the goal of internationalization effectively. While all those processes of knowledge management are important, it is reasonable to state that without effective knowledge creation process to produce complementary knowledge, knowledge management capability is unlikely to be productive. Next, unlike much literature in international business merely focusing on knowledge management capability, this paper attempts to analyze further theoretically the influence of knowledge creation in virtual teams which have become widely used in today’s businesses.
2.3. Knowledge Creation In Virtual Teams
Emerging as a ubiquitous working mode in modern organizations, virtual teams are defined as teams whose members are geographically dispersed, interdependent on their tasks yet share responsibility for outcomes, and rely on technology-mediated communication rather than face-to-face interactions to accomplish the tasks (Aubert & Kelsey, 2003; Jarvenpaa & Leidner, 1999; Schiller & Mandviwalla, 2007). While virtual teams offer advantages over traditional face-to-face teams by overcoming geography, time, and organization boundaries, it is known that communication and coordination are so critical that they significantly affect virtual teams’ performance (Espinosa et al., 2007; Martins et al., 2004). Thus, the nature of virtual environment clearly challenges how virtual team members exchange their knowledge (Espinosa et al., 2007). Nonetheless, Espinosa et al. (2007) found that shared knowledge among virtual team members can mitigate the negative effect of geographic distance on coordination. As a result, it is important to explore how virtual team members can effectively share their knowledge.
Virtual teams are believed to
increase the value of knowledge management significantly (Griffith et al.,
2003). However, due to virtual environment, knowledge becomes highly
distributed among virtual teams’ members, a challenge for researchers to
re-evaluate knowledge creation process in modern organizations (Lee & Cole,
2003). Drawing from Nonaka’s (1994) Organizational
Knowledge Creation theory (Socialization, Externalization, Combination, and
Internalization; the SECI model) as well as Adaptive Structuration
theory and Agency theory, Wipawayangkool (2009)
proposed a model of knowledge creation process in virtual teams called Adaptive
Social-Externalization (
Figure 1: Adaptive Social-Externalization And The Characteristics (adapted from Wipawayangkool,
2009)
The
The characteristics of the
Thus, this paper suggests that the
three characteristics can be used to determine not only the effectiveness of
virtual teams’ knowledge creation processes, but also knowledge management
capability and ultimately the extent of internalization of the firm. In other
words, the relationship between the effectiveness of knowledge creation in
virtual teams and the extent of internalization of the firm is mediated by
knowledge management capability (see Figure 2 for the first research model).
Based on the discussion above, a set of propositions are derived as follows:
Proposition 1a: The extent to which an
internationalizing firm’s virtual teams’ members can adapt their social
interaction structures and knowledge creation process based on their choices of
communication technology (Adaptiveness) will
positively influence the extent of knowledge management capability of the firm.
Proposition 1b: The extent to which an
internationalizing firm’s virtual teams’ socialization and externalization
processes occur simultaneously based on their choices of communication
technology (Simultaneity) will positively influence the extent of knowledge
management capability of the firm.
Proposition 1c: The extent
to which an internationalizing firm’s virtual teams’ members are willing to
exchange information to benefit one another to achieve common goals (Goal
Congruency and Information Symmetry) will positively influence the extent of
knowledge management capability of the firm.
Proposition 2: The extent of knowledge
management capability of the firm will positively influence the extent of
internationalization of the firm.
2.4. Information Security
Compliance
Information security compliances refer to compliances with regulations and laws pertinent to information security issues. Thus, the extent of information security compliances is defined in this paper as the extent to which a firm complies with regulations and laws pertinent to information security issues. Information security management is essentially involved with ensuring privacy of information (confidentiality), authorized operations on information (integrity), and availability of functional systems (availability) (Dhillon, 2007). Both technical (e.g. encryption and network security) and non-technical (e.g. management and regulatory compliance) aspects exist in information security management.
Certain laws and regulations may not directly address the implications of
information security, but given the pervasiveness of information technology in
business today, they are certainly involved with information security (Luthy & Forcht, 2006). For
example, although developed for financial sector in the
Proposition
3: The extent to which an internationalizing firm complies with certain
information security compliances required by the host country will positively
influence the extent of internationalization of the firm.
Figure 2: An Initial Integrative Model.
3. The Integrative Framework Of The Fit
In addition to the model above, this section proposes further an integrative framework of the fit between knowledge management capabilities and the extent of information security compliances in internationalization by primarily drawing from the organizational information processing theory.
3.1. Organizational Information
Processing Theory
The principle of the organizational information processing theory is that firms can obtain their optimal performance in a domain through strategies that either reduce the needs for information processing or increase the capacity to process information or both (Galbraith, 1974). Central to the theory are information processing needs, information processing capability, and the fit between information processing needs and capability. In short, through such a fit, a firm can achieve its optimal performance. Figure 3 illustrates the essences of the theory.
Figure 3: The Essences Of The
Organizational Information Processing Theory
Based on such a framework, this paper conceptualizes the extent of internationalization as the desired performance, the extent of information security compliances as information processing needs, and knowledge management capabilities as information processing capabilities. In other words, the firm must be able to create and use necessary knowledge in order to respond to the need for complying with certain regulations and laws – and particularly through the fit, the firm will be able to achieve the optimal extent of its internationalization.
3.2. The Fit between Knowledge Management Capabilities And Information Security Compliances
Again, based on the organizational information processing theory and all the
discussion above, this paper posits that the fit between knowledge management
capabilities of a firm and the requirements of foreign information security
compliances influences the extent to which the firm can internationalize its
business. Discussed in this section are some well-known American regulations
and laws foreign firms face when internationalizing their businesses in the
3.2.1. Technology-related
Compliances
First, triggered by scandalous cases
such as Enron, the Sarbanes-Oxley Act (SOX) requires publicly traded companies
to establish an accurate and reliable internal control structure for financial
reporting activities that are typically handled by computer systems (Luthy & Forcht, 2006;
Schultz, 2004). In short, this law is designed to strengthen the integrity of
corporate financial practices. As mentioned, SOX also applies to foreign
companies that are registered to operate business in the
Although SOX is not designed to tackle information security directly,
information technology department is under great pressure to complete its requirements
such as data authentication, encryption, and storage recoverability. Complying
with SOX is significantly expensive especially for small firms. Indeed, Piotroski and Srinivasan (2008)
found that SOX does not influence the decision of large foreign firms to
register their business in the
Second, as the first American regulation on medical privacy and the most intensive federal legislation involving health information management and systems affecting the store, use, release, and transmission of private medical data, the Health Insurance Portability and Accountability Act (HIPAA), requires firms, regardless of its size and practices (e.g. healthcare providers, insurance companies, physician practice, and consulting firms), to implement security strategies, such as reviewing information systems activities and risk management, for personal history information (Dhillon, 2007). Firms that fail to comply with the HIPAA could be subjected to heavy fines and potential lawsuits.
3.2.2. Marketing-related
Compliances
Many of the most significant privacy rules focus on marketing practices through defining appropriate restrictions and explaining the degree to which those practices can be (Nahra, 2006). The Do-Not-Call and CAN-SPAM are two of renowned and aggressive marketing rules issued by the Federal Trade Commission (FTC) and Federal Communication Commission (FCC) (Nahra, 2006). As many firms nowadays outsource telemarketing and Internet-marketing activities, the firm must be cautious in selecting marketing partners and be sure that they strictly adhere to the requirements of the rules. For example, the FTC charged DirecTV in December 2005 for its affiliates’ violations of the Do-Not-Call restriction with the $5.3 million penalty fees, the largest violation yet (Hughes, 2007). In other words, the firm needs to know how to create complementary knowledge, for example through selecting marketing partners, and ensure that the knowledge will be appropriately and effectively utilized.
Based on the discussion above, a set of propositions are developed as follows:
Proposition 4: The extent of knowledge
management capability (e.g. technological and marketing) of an internationalizing
firm will positively influence the extent to which the firm complies with
certain information security compliances required by the host country (e.g.
technology-related and marketing-related compliances of the
Proposition 5a: The fit between technological
knowledge management capability of a firm (e.g. through the IT department) and
technology-related information security compliances (e.g. SOX and HIPAA) will
positively influence the extent of internationalization of the firm.
Proposition 5b: The fit between marketing
knowledge management capability of a firm (e.g. through marketing partners
selection) and marketing-related information security compliances (e.g.
CAN-SPAM and Do-Not-Call) will positively influence the extent of
internationalization of the firm.
Finally, although both technological and marketing knowledge are significant predictors of the extent of internal diversification, Tseng et al. (2007) also found that the relationship between marketing knowledge and the extent of internationalization is an inverted U-shaped, indicating that excessive use of marketing resources may trigger adverse responses from the host country and that an optimal extent of internationalization exists in the relationship. An explanation is that the effects of marketing practices tend to be more salient with and sensitive to people’s perceptions than those of technology especially when the host country is greatly different. Thus, technological knowledge management capability may directly increase the extent of internationalization of a firm more than marketing knowledge management capability.
Proposition 6: Due to differential levels of the
salience or sensitivity of the nature of the knowledge to the perceptions of
people in the host country, the fit between technological knowledge management
capability and technology-related information security compliances of a firm
will positively influence the extent of internationalization of the firm more
significantly than the fit between marketing knowledge management capability
and marketing-related information security compliances of the firm.
The following Figure 4 depicts the integrative framework of the fit and the corresponding propositions together with the previous propositions.
Figure 4: The Proposed Integrative
Framework
4. Implications And Limitations
This paper has implications to both researchers and managers. To researchers, the integrative framework for knowledge management capabilities contributed by knowledge creation in virtual teams and information security compliances in internationalization emphasizes the interdisciplinary nature of these research streams and suggests a number of propositions for researchers to explore further. Especially, the integration of knowledge creation in virtual teams and internationalization has been lacking in prior literature. This paper overall contributes to the body of knowledge of knowledge management, information security, and international business management. Specifically, to knowledge management and international business, this paper explores beyond simply knowledge management capability via integrating the role of knowledge creation processes in virtual teams particularly the determinants of the effectiveness of the processes. To information security literature, regulatory aspects, compared to other aspects especially technical, are still relatively immature and need more attention. In addition, this paper fills in the recommendation for considering regulatory factors in international business context. Managers should examine both the availability of necessary knowledge and knowledge management capability by carefully assessing such characteristics of their virtual teams’ knowledge creation processes as adaptiveness, simultaneity, and goal congruency and information symmetry to determine firms’ readiness before making the decision to internationalize their businesses otherwise unnecessary costs of attempting to do so are likely to surface. In addition, managers in departments such as IT and marketing should ensure that they are familiar with and know to create necessary knowledge in order to comply with associated information security compliances in the domains.
Regarding limitations, although this paper achieves the objective in pointing out the important role of knowledge creation in virtual teams in knowledge management capability of the firm, other processes such as knowledge transfer also need to be explored. Similarly, researchers should also examine the effects of different compliances in different industries. Empirical studies are certainly needed to analyze the propositions and research model and may appear to be challenging to gain access to data on corporate security compliances. As a result, a methodology on how to tackle such an issue will prove to be very valuable to the field.
5. Conclusion
This paper discusses two topics relevant to both knowledge management and internationalization. First, in this information era, internationalizing firms typically need to comply with the host country’s certain information security regulations and laws. Second, although prior literature suggests that complementary knowledge is crucial for firms to internationalize effectively, with the emergence of virtual teams as a modern work mode, literature analyzing how virtual teams affect firms’ knowledge management capability and consequently internationalization is needed. This paper contributes to the literature by providing an integrative framework for knowledge creation in virtual teams, knowledge management capabilities, information security compliances, and internationalization. Specifically, drawing from organizational information processing theory, this paper proposes an integrative framework of the influence of the fit between knowledge management capabilities particularly contributed by the effectiveness of knowledge creation processes in virtual teams and the extent of information security compliances on the extent of internationalization of the firms. Instead of looking from American firms’ perspective, this paper discusses how certain American security compliances possess challenges for foreign firms when internationalizing their businesses.
6. References
Aubert, B.A. and Kelsey, B.L. (2003) Further Understanding of Trust and Performance in Virtual Teams, Small Group Research, 34(5), 575-618.
Calof, J.L. and Beamish, P. (1995) Adapting to foreign markets: Explaining internationalization, International Business Review, 4, 115-131.
Cuervo-Cazurra, A., Maloney, M.M., and Manrakhan, S. (2007) Causes of the difficulties in internationalization, Journal of International Business Studies, 38, 709-725.
Dhillon, G. (2007) Principles of information systems security: Text and cases, John Wiley & Sons, Inc.
Espinosa, J.A.,
Galbraith, J. (1974) Organization design: An information processing view, Interfaces, 4(3), 28-36.
Gerber, M. and von Solms, R. (2008) Information security requirements – Interpreting the legal aspects, Computers & Security, 27, 124-135.
Haworth, D.A. and Pietron, L.R. (2006) Sarbanes-Oxley: Achieving compliance by starting with ISO 17799, Information Systems Management, winter, 73-87.
Hennart, J.F. (1982) The
theory of multinational enterprise.
Herrmann, P. and Datta, D.K. (2005) Relationships between top management team characteristics and international diversification: An empirical investigation, British Journal of Management, 16, 69-78.
Hitt, M.A., Tihanyi, L., Miller, T., and Connelly, B. (2006) International Diversification: Antecedents, Outcomes, and Moderators, Journal of Management, 32(6), 831-867.
Hughes, T. (2007) How well do you know your Internet marketing partners? Journal of Internet Law, May, 3-6.
Hymer, S.H. (1976) The
international operations of national firms: A study of foreign direct
investment.
Jarvenpaa, S.L. and Leidner, D.E. (1999) Communication and Trust in Global Virtual Teams, Organization Science, 10(6), 791-815.
Lee, G.K. and Cole, R.E. (2003) From a Firm-Based to a Community-Based Model of Knowledge Creation, Organization Science, 14(6), 633-649.
Luthy, D. and Forcht, K. (2006) Laws and regulations affecting information management and frameworks for assessing compliance, Information Management & Computer Security, 14(2), 155-166.
Martins, L.L., Gilson, L.L., Maynard, M.T. (2004) Virtual teams: What do we know and where do we go from here? Journal of Management, 30(6), 805-835.
Nahra, K.J. (2006) A privacy and security compliance checklist for the Internet era, Journal of Internet Law, 9, 12, 11-21.
Nonaka, I. A (1994) Dynamic Theory of Organizational Knowledge Creation, Organization Science, 5(1), 14-37.
Piotroski, J.D. and Srinivasan, S. (2008) Regulation and bonding: The Sarbanes-Oxley Act and the flow of international listing, Journal of Accounting Research, 46(2), 383-425.
Sanders, WM.G. and Carpenter, M.A. (1998) Internationalization and firm governance: The roles of CEO compensation, top team composition, and board structure, Academy of Management Journal, 41(2), 158-178.
Schiller, S.Z. and Mandviwalla, M. (2007) Virtual Team Research: An Analysis of Theory Use and a Framework for Theory Appropriation, Small Group Research, 38(1), 12-59.
Schultz, E. (2004) Sarbanes-Oxley-a huge boon to information security in the US, Computers & Security, 23, 353-354.
Tanriverdi, H. (2005) Information technology relatedness, knowledge management capability, and performance of multibusiness firms, MIS Quarterly, 29(2), 311-334.
Tseng, C.H., Tansuhaj, P., Hallagan, W., and McCullough, J. (2007) Effects of firm resources on growth in multinationality, Journal of International Business Studies, 38, 961-974.
Wipawayangkool, K. (2009) Toward a General Model of Knowledge Creation in Virtual Teams, Journal of Information & Knowledge Management, 8(1), 45-51.
Yeo, V. (2006) SOX clock
ticking for overseas business. http://www.news.com/2102-7350_3-6098931.html
About the Author:
Kamphol Wipawayangkool is currently an adjunct lecturer at
Tel:
936-294-4049; Email: kxw012@shsu.edu