Information security management: A case study of an information security culture (original) (raw)

A Conceptual Model for Exploring the Factors Influencing Information Security Culture

International Journal of Security and Its Applications

Human behavior is considered as one of the main threats in an organization. Owing to the fact that human element is the weakest link in security area, it is crucial to provide an ideal information security culture within an organization in order to guide the employees' perception, attitudes and security behavior. Furthermore, this culture can protect an organization against many information security threats posed by the employees. In this paper, we have proposed a conceptual model exploring the factors influencing the information security culture.

Information security culture: A Behaviour Compliance Conceptual Framework

Understanding the complex dynamic and uncertain characteristics of organisational employees who perform authorised or unauthorised information security activities is deemed to be a very important and challenging task. This paper presents a conceptual framework for classifying and organising the characteristics of organisational subjects involved in these information security practices. Our framework expands the traditional Human Behaviour and the Social Environment perspectives used in social work by identifying how knowledge, skills and individual preferences work to influence individual and group practices with respect to information security management. The classification of concepts and characteristics in the framework arises from a review of recent literature and is underpinned by theoretical models that explain these concepts and characteristics. Further, based upon an exploratory study of three case organisations in Saudi Arabia involving extensive interviews with senior managers, department managers, IT managers, information security officers, and IT staff; this article describes observed information security practices and identifies several factors which appear to be particularly important in influencing information security behaviour. These factors include values associated with national and organisational culture and how they manifest in practice, and activities related to information security management.

Information Security Culture: A Comparative Analysis of Four Assessments

An Information Security Culture Assessment (ISCA) aids in identifying what components an organisation needs to enhance or impede to improve the protection of the organisation's information. The objective of the ISCA, developed in previous research by the authors, is to assess the current information security culture level in organisations using a survey approach. This paper discusses a case study of one of the international financial institutions where the ISCA was conducted four times over a period of eight years, across twelve countries. The research indicated that the information security culture improved from one assessment to the next, with the most positive results obtained in 2013. The Group Information Security Officer concentrated on training as the main improvement action in each country, in line with the recommendations of each assessment. It was found that the results of employees who received prior information security training were significantly more positive than those of employees who did not. The overall information security culture, from a dimensional and biographical perspective, also improved from one assessment to the next. The output of the ISCA can aid management in directing and prioritising information security awareness and training in terms of topics and biographical groups in the organisation. It provides insight into an approach that organisations can consider to address the risk to the protection of information, from an employee perspective. The trends identified in the case study also aid in understanding how an adequate information security culture can be inculcated in an organisation.

Information security culture: A definition and a literature review

2014 World Congress on Computer Applications and Information Systems (WCCAIS), 2014

Information security culture guides how things are done in organization in regard to information security, with the aim of protecting the information assets and influencing employees' security behavior. In this paper, we review key literature on information security culture that was published in the period during 2003-2013. The objective was to identify the frameworks that were proposed to establish and maintain information security culture inside organizations. Moreover, other issues were investigated, such as the appropriate definition, and methodology used in this field of research. The review identified 62 papers that were published in that period (2003-2013) and were focused on information security culture in organizations as a main topic of that paper. The review draws the attention to the importance of the information security culture and the need for more investigation in the field to provide a comprehensive framework of the establishment of information security culture within organization.

Understanding challenges of information security culture: a methodological issue

2nd Australian Information Security Management …, 2004

Although, many organisations have implemented technical solutions to protect information resources from adverse events, internal security breaches continue to occur. Therefore an approach that emphasises an information security culture within the organisation is required to make security a part of employees' daily work routines. In order to develop a successful information security culture within an organisation, it is a need to understand both technical and non-technical aspects of information security. Thus, this paper aims to investigate and discuss the conceptual and methodological issues pertaining the challenges in information security culture. MAMPU (Malaysian Administrative Modernisation and Management Planning Unit) was chosen as the subject of analysis and to serve as the specific in-depth case study for the investigation. In terms of epistemological approach, the interpretivism paradigm has been adopted as the main strategy in inquiry. For data collection, this research used questionnaire survey, semi-structured interviews, reviews of information security documents and observations. A conceptual framework based on model of organisational culture was also being established to guide the data collection techniques. This paper, basically, is an attempt to academically overview and justifies the conceptual and methodological decisions in each procedure, which is outlined above.

Fostering Information Security Culture In Organizations: A Research Agenda

MCIS, 2017

Information security is a major challenge for organizations due to the proliferation of digitization and constant connectivity. It is becoming widely accepted that raising an information security culture, meaning instilling security behaviour in people interacting with ICTs, is key to maintaining a healthy security posture. However the academic field of information security culture has been described as immature, lacks empirical validation, while the constituents of the concept as well as methods, tools, frameworks and metrics for fostering and evaluating it within organisations remain elusive. This paper, based on a critical analysis of relevant literature and practice, provides a research agenda of critical issues that need to be addressed so that users, from security's weakest link, become an important actor for proactive information security. These issues include the need for proper and employable definitions of information security culture and the need to explore the existence of security subcultures, the need to develop frameworks, tools and metrics for guiding, evaluating and comparing security culture raising programs, the need to explore the interplay between organisational elements (including organisational structure, type and management practices) and security culture, the need to identify the impact of security culture in issues such as innovation adoption, the need to investigate the influence of national and organisational culture on security culture and so on.

Defining organisational information security culture—Perspectives from academia and industry

Computers & Security, 2020

The ideal or strong information security culture can aid in minimising the threat of humans to information protection and thereby aid in reducing data breaches or incidents in organisations. This research sets out to understand how information security culture is defined from an academic and industry perspective using a mixed-method approach. The definition, factors necessary to instil the ideal information security culture and the potential impact of the ideal information security culture were investigated from both perspectives. A survey approach was implemented to obtain the views from industry and 512 respondents from organisations, many of which operate at an international level, participated in the survey. The research presents a description of information security culture, integrating the existing literature and expanding on it with the views of industry, thereby giving clarity to the concept. The ideal information security culture was identified with the top traits relating to aspects such as an aware and knowledgeable workforce implementing conscientious, caring behaviour to comply with policies as guided by management. The factors that could positively influence an information security culture were identified, consolidated and expanded to five external factors and twenty internal factors. Organisations that have a strong information security culture were identified as achieving mutual trust and integrity through the protection of their information. The description of an information security culture can be used as a baseline to define and understand the concept, identify a single, comprehensive set of factors to be implemented, comprehend the traits of such a culture, as well as what an organisation can achieve by having a strong information security culture. The analysis showed that scientific interpretations of the definitions and factors of information security culture are much wider than their understanding of the industry. Both the results from the scoping review of papers and the feedback from the industry experts are synthesised visually to provide an organisational information security culture model (OISCM). The definition, factors, and model that influence the organisational culture of information security, have prognostic value for industry. For scientists, this is an important topic of research on methods and forms of increasing the level of this knowledge.

Information security culture: A management perspective

Computers & Security, 2010

Information technology has become an integral part of modern life. Today, the use of information permeates every aspect of both business and private lives. Most organizations need information systems to survive and prosper and thus need to be serious about protecting their information assets. Many of the processes needed to protect these information assets are, to a large extent, dependent on human cooperated behavior. Employees, whether intentionally or through negligence, often due to a lack of knowledge, are the greatest threat to information security. It has become widely accepted that the establishment of an organizational sub-culture of information security is key to managing the human factors involved in information security. This paper briefly examines the generic concept of corporate culture and then borrows from the management and economical sciences to present a conceptual model of information security culture. The presented model incorporates the concept of elasticity from the economical sciences in order to show how various variables in an information security culture influence each other. The purpose of the presented model is to facilitate conceptual thinking and argumentation about information security culture.

Understanding information security culture: A conceptual framework

Information Security South Africa ( …, 2006

The importance of establishing an information security culture in an organization has become a well established idea. The aim of such a culture is to address the various human factors that can affect an organization's overall information security efforts. However, understanding both the various elements of an information security culture, as well as the relationships between these elements, can still be problematic. Schein's definition of a corporate culture is often used to aid understanding of an information security culture. This paper briefly introduces Schein's model. It then incorporates the important role knowledge plays in information security into this definition. Finally, a conceptual framework to aid understanding of the interactions between the various elements of such a culture, is presented. This framework is explained by means of illustrative examples, and it is suggested that this conceptual framework can be a useful aid to understanding information security culture.