Understanding challenges of information security culture: a methodological issue (original) (raw)
Related papers
2007
This thesis seeks to investigate information security culture challenges in a Malaysian public sector organisation. Although, many organisations have implemented technical solutions to protect information resources from adverse events, internal security breaches continue to occur. Therefore an approach that emphasises an information security culture within the organisation is required to make security a part of employees' daily work routines.
Information security management: A case study of an information security culture
This thesis argues that in order to establish a sound information security culture it is necessary to look at organisation's information security systems in a sociotechnical context. The motivation for this research stems from the continuing concern of ineffective information security in organisations, leading to potentially significant monetary losses. It is important to address both technical and nontechnical aspects when dealing with information security management. Culture has been identified as an underlying determinant of individuals' behaviour and this extends to information security culture, particularly in developing countries. This research investigates information security culture in the Saudi Arabia context.
Information security culture: A definition and a literature review
2014 World Congress on Computer Applications and Information Systems (WCCAIS), 2014
Information security culture guides how things are done in organization in regard to information security, with the aim of protecting the information assets and influencing employees' security behavior. In this paper, we review key literature on information security culture that was published in the period during 2003-2013. The objective was to identify the frameworks that were proposed to establish and maintain information security culture inside organizations. Moreover, other issues were investigated, such as the appropriate definition, and methodology used in this field of research. The review identified 62 papers that were published in that period (2003-2013) and were focused on information security culture in organizations as a main topic of that paper. The review draws the attention to the importance of the information security culture and the need for more investigation in the field to provide a comprehensive framework of the establishment of information security culture within organization.
Understanding information security culture: A conceptual framework
Information Security South Africa ( …, 2006
The importance of establishing an information security culture in an organization has become a well established idea. The aim of such a culture is to address the various human factors that can affect an organization's overall information security efforts. However, understanding both the various elements of an information security culture, as well as the relationships between these elements, can still be problematic. Schein's definition of a corporate culture is often used to aid understanding of an information security culture. This paper briefly introduces Schein's model. It then incorporates the important role knowledge plays in information security into this definition. Finally, a conceptual framework to aid understanding of the interactions between the various elements of such a culture, is presented. This framework is explained by means of illustrative examples, and it is suggested that this conceptual framework can be a useful aid to understanding information security culture.
Information Security Culture: A Comparative Analysis of Four Assessments
An Information Security Culture Assessment (ISCA) aids in identifying what components an organisation needs to enhance or impede to improve the protection of the organisation's information. The objective of the ISCA, developed in previous research by the authors, is to assess the current information security culture level in organisations using a survey approach. This paper discusses a case study of one of the international financial institutions where the ISCA was conducted four times over a period of eight years, across twelve countries. The research indicated that the information security culture improved from one assessment to the next, with the most positive results obtained in 2013. The Group Information Security Officer concentrated on training as the main improvement action in each country, in line with the recommendations of each assessment. It was found that the results of employees who received prior information security training were significantly more positive than those of employees who did not. The overall information security culture, from a dimensional and biographical perspective, also improved from one assessment to the next. The output of the ISCA can aid management in directing and prioritising information security awareness and training in terms of topics and biographical groups in the organisation. It provides insight into an approach that organisations can consider to address the risk to the protection of information, from an employee perspective. The trends identified in the case study also aid in understanding how an adequate information security culture can be inculcated in an organisation.
Defining organisational information security culture—Perspectives from academia and industry
Computers & Security, 2020
The ideal or strong information security culture can aid in minimising the threat of humans to information protection and thereby aid in reducing data breaches or incidents in organisations. This research sets out to understand how information security culture is defined from an academic and industry perspective using a mixed-method approach. The definition, factors necessary to instil the ideal information security culture and the potential impact of the ideal information security culture were investigated from both perspectives. A survey approach was implemented to obtain the views from industry and 512 respondents from organisations, many of which operate at an international level, participated in the survey. The research presents a description of information security culture, integrating the existing literature and expanding on it with the views of industry, thereby giving clarity to the concept. The ideal information security culture was identified with the top traits relating to aspects such as an aware and knowledgeable workforce implementing conscientious, caring behaviour to comply with policies as guided by management. The factors that could positively influence an information security culture were identified, consolidated and expanded to five external factors and twenty internal factors. Organisations that have a strong information security culture were identified as achieving mutual trust and integrity through the protection of their information. The description of an information security culture can be used as a baseline to define and understand the concept, identify a single, comprehensive set of factors to be implemented, comprehend the traits of such a culture, as well as what an organisation can achieve by having a strong information security culture. The analysis showed that scientific interpretations of the definitions and factors of information security culture are much wider than their understanding of the industry. Both the results from the scoping review of papers and the feedback from the industry experts are synthesised visually to provide an organisational information security culture model (OISCM). The definition, factors, and model that influence the organisational culture of information security, have prognostic value for industry. For scientists, this is an important topic of research on methods and forms of increasing the level of this knowledge.
Information security culture: A management perspective
Computers & Security, 2010
Information technology has become an integral part of modern life. Today, the use of information permeates every aspect of both business and private lives. Most organizations need information systems to survive and prosper and thus need to be serious about protecting their information assets. Many of the processes needed to protect these information assets are, to a large extent, dependent on human cooperated behavior. Employees, whether intentionally or through negligence, often due to a lack of knowledge, are the greatest threat to information security. It has become widely accepted that the establishment of an organizational sub-culture of information security is key to managing the human factors involved in information security. This paper briefly examines the generic concept of corporate culture and then borrows from the management and economical sciences to present a conceptual model of information security culture. The presented model incorporates the concept of elasticity from the economical sciences in order to show how various variables in an information security culture influence each other. The purpose of the presented model is to facilitate conceptual thinking and argumentation about information security culture.
A Conceptual Model for Exploring the Factors Influencing Information Security Culture
International Journal of Security and Its Applications
Human behavior is considered as one of the main threats in an organization. Owing to the fact that human element is the weakest link in security area, it is crucial to provide an ideal information security culture within an organization in order to guide the employees' perception, attitudes and security behavior. Furthermore, this culture can protect an organization against many information security threats posed by the employees. In this paper, we have proposed a conceptual model exploring the factors influencing the information security culture.
Information Security Culture Model for Malaysian Organizations: A Review
International Journal of Advanced Trends in Computer Science and Engineering, 2020
The establishment of Information Security Culture (ISC) has been recommended for improving employees' information security in the organization. To date, there is still no clear guidance or model for assessing and cultivating ISC for Malaysian organizations, despite some Malaysian-based studies being carried out. In order to shed light to this issue, we reviewed all ISC models developed in Malaysian context to identify models for particular types of organization in Malaysia. Three major databases of Web of Science, Scopus and Google Scholar were systematically exhausted and we found only six papers from 2000 to 2018 that met our selection criteria. Our analysis revealed that there is a lack of validated ISC models have been produced for particular types of organization. The current model only applicable to healthcare, library and public organizations in Malaysia. In addition, there is a lack of consistency in terms of ISC factors used in the ISC models and there is no common set of factors could be applied for all type of Malaysian organization. This review has amplified the need for a more thorough and in-depth studies for ISC model in Malaysian context.