An holistic framework for the fostering of an information security sub-culture in organizations (original) (raw)

SECURITY KNOWLEDGE REQUIRED TO IMPROVE EMPLOYEE SECURITY BEHAVIOR IN INFORMATION SECURITY CULTURE

International Journal of Computer Science and Information Security (IJCSIS) Vol. 20 No. 2 FEBRUARY 2022 , 2022

There are many security risks to the organizations' information assets; nonetheless, among the major threats to achieve a secure information environment are the actions and behavior of the employees when handling information. Insiders, intentionally or unintentionally, can cause serious risks, despite investments usually made on security control measures and other security related products. Insecure human behavior with respect to information security cannot entirely be solved by technical and procedural controls alone. Recently, the development of effective information security culture in organizations is increasingly considered as a way to embed appropriate security practices, and to address the human factor in information security. Past research works on this area indicate that there is a positive relationship between levels of knowledge and how employees behave. The level of knowledge significantly affects information security behavior and should be considered as a critical factor in the effectiveness of information security culture and in any further work that is carried out on information security culture. Therefore, in this paper we have identified the security knowledge required to improve employee behavior in information security culture namely; knowledge of security threat, knowledge of organization information security strategy, knowledge of security technology, knowledge of legislation, regulation and national culture, knowledge of security responsibility and knowledge of security risk. These security knowledge needs to be included as topics in security training and awareness programs conducted by organizations for their employees so that an effective information security culture within the organization can be achieved.

Cultivating an organizational information security culture

Computer Fraud & Security, 2006

An information security solution should be a fundamental component in any organization. One of the major difficulties in achieving the assimilation of information into an organization is the actions and behaviour of employees. To ensure the integration of information security into the corporate culture of an organization, the protection of information should be part of the daily activities and second-nature behaviour of the employees.

A Conceptual Model for Exploring the Factors Influencing Information Security Culture

International Journal of Security and Its Applications

Human behavior is considered as one of the main threats in an organization. Owing to the fact that human element is the weakest link in security area, it is crucial to provide an ideal information security culture within an organization in order to guide the employees' perception, attitudes and security behavior. Furthermore, this culture can protect an organization against many information security threats posed by the employees. In this paper, we have proposed a conceptual model exploring the factors influencing the information security culture.

Information security culture: A management perspective

Computers & Security, 2010

Information technology has become an integral part of modern life. Today, the use of information permeates every aspect of both business and private lives. Most organizations need information systems to survive and prosper and thus need to be serious about protecting their information assets. Many of the processes needed to protect these information assets are, to a large extent, dependent on human cooperated behavior. Employees, whether intentionally or through negligence, often due to a lack of knowledge, are the greatest threat to information security. It has become widely accepted that the establishment of an organizational sub-culture of information security is key to managing the human factors involved in information security. This paper briefly examines the generic concept of corporate culture and then borrows from the management and economical sciences to present a conceptual model of information security culture. The presented model incorporates the concept of elasticity from the economical sciences in order to show how various variables in an information security culture influence each other. The purpose of the presented model is to facilitate conceptual thinking and argumentation about information security culture.

A proposal of an organizational information security culture framework

Proceedings of International Conference on Information, Communication Technology and System (ICTS) 2014, 2014

The efficiency of various technical information security controls is based on the 'people' who interact with the information every day. Information security culture aims at protecting information assets by guiding how things are done in organization in regard to information security through influencing employees' security behavior. This paper review key frameworks that were proposed in the literature in the period between the years 2003 and 2013, to establish and maintain information security culture inside organizations. The review draws the attention to the need for more investigation in the field to provide comprehensive frameworks for information security culture within organization. This paper attempts to propose one. The framework incorporates key change management principles and has five main dimensions that represent strategy, technology, organization, people and environment issues that affect the effective information security culture.

Information Security Culture: Fusion of Professional and Personal Lives

2015

This annotated bibliography explores the core values organizations must possess in order to implement information security cultures that incorporate information security awareness and develop information security behaviors while maximizing productivity and reducing the number of security incidents created from end users. The bibliography is based on literature published from 2005 to 2015. Conclusions drawn from the literature describe the different corporate culture frameworks and training methodologies needed to cultivate an information security culture.

Fostering Information Security Culture In Organizations: A Research Agenda

MCIS, 2017

Information security is a major challenge for organizations due to the proliferation of digitization and constant connectivity. It is becoming widely accepted that raising an information security culture, meaning instilling security behaviour in people interacting with ICTs, is key to maintaining a healthy security posture. However the academic field of information security culture has been described as immature, lacks empirical validation, while the constituents of the concept as well as methods, tools, frameworks and metrics for fostering and evaluating it within organisations remain elusive. This paper, based on a critical analysis of relevant literature and practice, provides a research agenda of critical issues that need to be addressed so that users, from security's weakest link, become an important actor for proactive information security. These issues include the need for proper and employable definitions of information security culture and the need to explore the existence of security subcultures, the need to develop frameworks, tools and metrics for guiding, evaluating and comparing security culture raising programs, the need to explore the interplay between organisational elements (including organisational structure, type and management practices) and security culture, the need to identify the impact of security culture in issues such as innovation adoption, the need to investigate the influence of national and organisational culture on security culture and so on.

A Comprehensive Human Factor Framework for Information Security in Organizations

2015

Human factor represent an essential issue in the security of information in organizations, as human factor determine the behavior of the employees toward information security. This paper attempts to integrate related human factors, recognized by previous work, into a structured comprehensive framework. The framework has four main domains that take the form of a diamond. Two domains are concerned with the environment and management issues representing an organization dimension; while the other two are related to preparedness and responsibility issues giving an employee dimension. The domains at the four corners of the diamond interact with one another influencing the human behavior toward information security. Expert views on the framework have been collected through a survey that addresses the importance of its various components to human behavior. The framework provides a base for the future investigation of information security protection in organizations, and the development of c...

Information security culture: A definition and a literature review

2014 World Congress on Computer Applications and Information Systems (WCCAIS), 2014

Information security culture guides how things are done in organization in regard to information security, with the aim of protecting the information assets and influencing employees' security behavior. In this paper, we review key literature on information security culture that was published in the period during 2003-2013. The objective was to identify the frameworks that were proposed to establish and maintain information security culture inside organizations. Moreover, other issues were investigated, such as the appropriate definition, and methodology used in this field of research. The review identified 62 papers that were published in that period (2003-2013) and were focused on information security culture in organizations as a main topic of that paper. The review draws the attention to the importance of the information security culture and the need for more investigation in the field to provide a comprehensive framework of the establishment of information security culture within organization.