Understanding organizational security culture (original) (raw)
Related papers
Organizational security culture: More than just an end-user phenomenon
2006
The concept of security culture is relatively new. It is often investigated in a simplistic manner focusing on end-users and on the technical aspects of security. Security, however, is a management problem and as a result the investigation of security culture should also have a management focus. This paper discusses security culture based on an organisational culture framework of eight dimensions. We believe that use of this framework in security culture research will reduce the inherent biases of researchers who tend to focus on only technical aspects of culture from an end users perspective.
Security Culture as Organisational Weakness
Academia Letters, 2021
In the constantly evolving organisational environment, driven by competitive forces, governed and regulated, and populated by diverse and constantly refreshing workforces, the maintenance of effective, efficient security is a significant challenge. Alongside the need to protect assets; it is generally agreed and understood that security culture is an essential component for success. To contribute to that: 'The underlying premise of establishing a security culture is that organisations have a much greater chance of protecting their assets if everyone plays an active part' (Furnell and Clarke, 2005:67) 1. Also, it is essential that those who are required to manage organisations understand that they have a part to play; whilst inaccurate managerial perceptions of the effectiveness of security measures can have a deleterious effect (Taylor and Brice, 2012) 2. In organisations where a wide range of behaviours, attitudes and mores may not be straightforwardly summarised or encompassed by the single term 'culture', managers should recognise this and understand that 'unitarist', 'pluralist' and even 'anarchist' cultures may build and develop (Willcoxson and Millet, 2000) 3. If it is assumed that those responsible for organisational performance need to ensure that its assets need to be secured and protected; it is not necessarily a following assumption that there is an understanding of how that may be achieved. Moreover, it is not necessarily a sound or supporting assumption that a culture to develop and maintain effective security truly exists. Although it is probable that organisations should aspire to the cultural paradigm that: 'open and generative culture will mean better uptake of innovations and better response to danger
Cybersecurity Education for Awareness and Compliance, 2019
A security culture can be a competitive advantage when employees uphold strong values for the protection of information and exhibit behavior that is in compliance with policies, thereby introducing minimal incidents and breaches. The security culture in an organization might, though, not be similar among departments, job levels, or even generation groups. It can pose a risk when it is not conducive to the protection of information and when security incidents and breaches occur due to employee error or negligence. This chapter aims to give organizations an overview of the concept of security culture, the factors that could influence it, an approach to assess the security culture, and to prioritize and tailor interventions for high-risk areas. The outcome of the security culture assessment can be used as input to define security awareness, training, and education programs aiding employees to exhibit behavior that is in compliance with security policies.
Organisational security culture: Extending the end-user perspective
Computers & Security, 2007
The concept of security culture is relatively new. It is often investigated in a simplistic manner focusing on end-users and on the technical aspects of security. Security, however, is a management problem and as a result, the investigation of security culture should also have a management focus. This paper describes a framework of eight dimensions of culture. Each dimension is discussed in terms of how they relate specifically to security culture based on a number of previously published case studies. We believe that use of this framework in security culture research will reduce the inherent biases of researchers who tend to focus on only technical aspects of culture from an end users perspective.
Security Culture Impact on Security Excellence in a Company
Innovative Issues and Approaches in Social Sciences, 2012
Awareness and behavior of organizational members is the outcome of the strong, completed and standards supported security culture. A major challenge for the current organization is to promote organizational members to take security responsibly. This paper examines the impact of security culture characteristics on the behavior of organizational members regarding security. My prediction was that the open purpose of the company and its reliability had a significant impact on collective actions regarding security. Additionally, appropriate security culture in a company is the real guarantee for the secure actions of employees. The results of my study support the hypothesis that security culture differentiates between different companies and increases positive behavior of employees towards the security excellence. However, I have found evidence that adaptability and involvement traits of the security culture in our study do not significantly affect the excellence in security behaviour. I recommend that managers should require employees in the operational security problem solving and continuously and publicly express contemporary and predicted security threats. As a result, reliable preventative actions will come and support the excellence of a company and the quality of the life of all company stakeholders.
Information Security Culture: A Comparative Analysis of Four Assessments
An Information Security Culture Assessment (ISCA) aids in identifying what components an organisation needs to enhance or impede to improve the protection of the organisation's information. The objective of the ISCA, developed in previous research by the authors, is to assess the current information security culture level in organisations using a survey approach. This paper discusses a case study of one of the international financial institutions where the ISCA was conducted four times over a period of eight years, across twelve countries. The research indicated that the information security culture improved from one assessment to the next, with the most positive results obtained in 2013. The Group Information Security Officer concentrated on training as the main improvement action in each country, in line with the recommendations of each assessment. It was found that the results of employees who received prior information security training were significantly more positive than those of employees who did not. The overall information security culture, from a dimensional and biographical perspective, also improved from one assessment to the next. The output of the ISCA can aid management in directing and prioritising information security awareness and training in terms of topics and biographical groups in the organisation. It provides insight into an approach that organisations can consider to address the risk to the protection of information, from an employee perspective. The trends identified in the case study also aid in understanding how an adequate information security culture can be inculcated in an organisation.
Information security management: A case study of an information security culture
This thesis argues that in order to establish a sound information security culture it is necessary to look at organisation's information security systems in a sociotechnical context. The motivation for this research stems from the continuing concern of ineffective information security in organisations, leading to potentially significant monetary losses. It is important to address both technical and nontechnical aspects when dealing with information security management. Culture has been identified as an underlying determinant of individuals' behaviour and this extends to information security culture, particularly in developing countries. This research investigates information security culture in the Saudi Arabia context.
Exploring the Relationship between Organizational Culture and Information Security Culture
Managing Information Security is becoming more challenging in today's business because people are both a cause of information security incidents as well as a key part of the protection from them. As the impact of organizational culture (OC) on employees is significant, many researchers have called for the creation of information security culture (ISC) in organizations to influence the actions and behaviour of employees towards better organizational information security. Although researchers have called for the creation of ISC to be embedded in organizations, nonetheless, literature suggests that little past research examining the relationship between the nature of OC and ISC. This paper seeks to explore the relationship between the nature of OC and ISC and argues that organizations that have a medium to high security risk profile need to embed the ISC to influence employee actions and behaviours in relation to information security practices. In addition, this paper also introduces a framework to assist organizations in determining the extent to which the desired ISC is embedded into OC.
Understanding challenges of information security culture: a methodological issue
2nd Australian Information Security Management …, 2004
Although, many organisations have implemented technical solutions to protect information resources from adverse events, internal security breaches continue to occur. Therefore an approach that emphasises an information security culture within the organisation is required to make security a part of employees' daily work routines. In order to develop a successful information security culture within an organisation, it is a need to understand both technical and non-technical aspects of information security. Thus, this paper aims to investigate and discuss the conceptual and methodological issues pertaining the challenges in information security culture. MAMPU (Malaysian Administrative Modernisation and Management Planning Unit) was chosen as the subject of analysis and to serve as the specific in-depth case study for the investigation. In terms of epistemological approach, the interpretivism paradigm has been adopted as the main strategy in inquiry. For data collection, this research used questionnaire survey, semi-structured interviews, reviews of information security documents and observations. A conceptual framework based on model of organisational culture was also being established to guide the data collection techniques. This paper, basically, is an attempt to academically overview and justifies the conceptual and methodological decisions in each procedure, which is outlined above.